Understanding How GDPR Compliance Affects Your Business
On May 28, 2018, the GDPR or General Data Protection Regulations went into effect. GDPR is a legal framework that governs the way companies handle data for those within the European Union (EU). It impacts data privacy law and compliance for companies on other continents who manage customer information from European citizens. Companies across industries must focus on GDPR compliance and take steps to provide disclosures and ensure that EU consumer data is protected.
What is GDPR?
You can learn more about the ins and outs of GDPR from our post, Introduction of GDPR. In general, GDPR is privacy protection laws that determine how businesses collect, store, and process company data. There is one thing to do before turning to a discussion of the practical impact of GDPR on covered entities. It is essential to understand the contractual provisions that govern the relationship between controllers and processors. Article 4 of the GDPR identifies a:
- Controller: “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.”
- Processor: is the “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
These contractual provisions are generally found in a data processing agreement, commonly referred to as a data processing addendum or “DPA.”
GDPR DPA Requirements
Suppose your business processes personal information related to individuals residing in the EU. Or, your business provides such information to any other entity. In either case, you are likely already familiar with the concept of a data privacy agreement. The most fundamental provisions required by GDPR are in Article 28, Section 3 of GDPR. Such section requires “processing by a processor” be “governed by a contract…that sets out the:”
- subject-matter of the processing;
- duration of the processing;
- nature and purpose of the processing;
- types of personal data subject to processing;
- categories of data subjects (data subject); and
- rights and obligations of the controller.
In addition to the above, GDPR sets forth many stipulations applicable to processors, which must be in the relevant agreement or DPA. Such stipulations include that the processor:
- must act only on the controller’s documented instructions unless required by law;
- will ensure that individuals processing the controller’s data are subject to an appropriate duty of confidence;
- must take proper measures to ensure the security of processing;
- may only engage with a sub-processor with the controller’s prior authorization and according to a written contract containing appropriate protections;
- must take proper measures to help the controller respond to request from individuals to exercise the rights provided to them under GDPR;
- take into account the nature of processing and the information available, the processor must assist the controller in meeting its GDPR obligations with the security of processing, notification of personal data breaches, and data protection impact assessments;
- must delete or return all personal data to the controller upon the termination of the provision of services relating to processing; and
- will submit to specific audits and inspections.
Ensure GDPR Compliance with Bagchi Law
Whether your business is a controller entering into a DPA with a processor, or you’re a processor engaging with a sub-processor, it may seem daunting to meet each GDPR requirement. On the flip-side, failure to comply with GDPR can result in significant fines. While GDPR became effective in May 2018, there has been an exponential increase in the number of enforcement actions so it is more important than ever for businesses to focus on compliance.
Schedule a consultation today to learn how the team at Bagchi Law can help you with GDPR compliance.
A crisis comes in all forms. Some are company-specific, while others are industry-specific. They can also be specific to geographical location or global. Regardless of the type of crisis, the Chief Financial Officer or CFO plays an important role, if not the most crucial role during these times.>>
The Chief Executive Officer of Bagchi Group, Ravila Gupta, has had much success working with her coach, and in providing coaching services to others, she has helped clients overcome various challenges. We caught up with Ravila and discussed her experience to gain insight into the benefits of the process and what to expect when working with an executive coach.>>
In Part I of our Startup Tax Issues series, we discussed how to avoid penalties with valuations. But what about issues related to 83(b) elections? Startup founders or other service providers receiving restricted stock should strongly consider making an 83(b) election in the year the restricted stock is granted.>>
Filing taxes can be intimidating, but it’s as inevitable as death. Tax rules are complicated, subject to change, and frequently poorly written. Early-stage startup taxation is a relatively limited field…>>
In 2013, there was a slowdown in clinical trials due to clinical trial litigation. Afterward, India experienced an upward trend. Read more about the history of clinical trials and the…>>
Although India has made adjustments to match global clinical trial regulation standards, the country still has some work to do. Several grey areas still need to be addressed. In some…>>
The Chief Executive Officer of Bagchi Group, Ravila Gupta, has had much success working with her coach, and in providing coaching services to others, she has helped clients overcome various challenges. We caught up with Ravila and discussed her experience to gain insight into the benefits of the process and what to expect when working with an executive coach.
Let's challenge the default together