What is GDPR?

The General Data Protection Regulation (GDPR) is a new privacy protection regulation in the EU in replacement of earlier data protection regime, that has become active and enforceable in May of 2018. GDPR requires companies outside EU doing business in the EU to protect citizen privacy, and companies who do not comply will face heavy fines. What distinguishes GDPR from the earlier regulations is the high level of penalties envisaged under the regulation which may go up to Euro 20 million (approximately Rs 140 crores) or 4% of the global turnover of a company and will be applicable even for Non-EU based companies. If any Indian company is interested in working with data which includes personal information of EU citizens, the GDPR cannot be ignored.GDPR is the result of four years of work by the EU parliament to bring data protection legislation current with how data is processed and used today.

Objectives of GDPR:

Control: Give people more control over how their personal data is used

Trust: Tighter controls and tougher enforcement will improve trust in a digital economy

Simplicity: Give businesses a clear legal environment to operate identically across the EU

What’s in Scope of GDPR?

  • Every organization doing business with the European Union is in the scope of GDPR, no matter the organization size or industry they belong to.
  • Data that is collected, processed, stored, analyzed, transited etc are included in this regulation.
  • Both automated and manual systems will require data mapping included in the scope of GDPR

What is not included in the scope of GDPR?

  • Personal data who are not EU citizen
  • National security activities
  • A natural person in the course of a purely personal or household activity
  • Data of deceased persons
  • Legal persons

Note: This content should not be considered legal advice.

GDPR ResponsibilitiesDifference

Penalties for Non-Compliance of the GDPRGDPR Penelty

  • Right to be Informed: Data subjects have the right to be informed on the identity of the DC, details of the DPO, the purpose and legal process of the collection of personal data, data retention period, and other information to ensure a lawful, legal, and transparent process of personal data.
  • Right of Access: Data subjects have the right to confirm whether, why, and where the DC is processing their personal data, who the recipients of the data are (third-party), the right to erasure, rectify, restriction of processing and objection to process, to lodge a complaint with a supervisory authority, a copy of the personal data, and much more.
  • Right to Rectification: The data subject has the right to rectify inaccurate personal data from the DC without delay.
  • Right to Erasure: An individual can now ask for all personal data to be erased due to the purpose of the collection is changed, withdrawal of consent, the objection of the process, data unlawfully processed, legal obligation, and more.
  • Right to Restriction of Processing: The data subject can restrict the DC from processing personal data if the accuracy is contested, the processing is unlawful, the controller no longer requires the data for processing.
  • Right to Data Portability: Personal data of a data subject can be transmitted from one DC in a structured, general, and machine-readable format to another controller, as per the data subject’s request.
  • Right to Object: The data subject can object to the processing of their personal data at any time, on grounds relating to their particular situation. This right can also be exercised when personal data is directly used in marketing campaigns, the use of information society services, and is used for scientific, historical, or statistical purposes.
  • Automated Individual Decision Making: The right not to be subjected to a decision that is based solely on automated processing can also be exercised by data subjects.


Author: Jasmin Bhambure

SecuArk Pvt.Ltd