GDRP stands for General Data Protection Regulation. It is certain kind of enforcement law that is scheduled to be imposed from May 25, 2018. GDPR enforcement law is a new set of rules meant for government agencies, private companies, nonprofit organizations, and many other kinds of organizations that provide goods as well as services to the EU (European Union). In fact, this law is also applicable for organizations that collect as well as analyze personal data of persons that are related to residents of European Union. GDPR is applicable for an organization irrespective of the location. The updated laws will be in sync with the current available technologies. In fact, the updated European privacy regulations laws, which are done over a decade’s time, are expected to increase privacy regulation uniformity across member states of European Union.

Personal data that are covered in General Data Protection Regulation include identification number such as SSN, name, location data such as home address, online identifier such as IP address, Ids of devices, screen names, email address, and many more. Highly sensitive personal data is also considered as a separate category of data. It includes biometric data, generic data, retinal scans, facial recognition, finger prints, and many more. Other sub categories are also there including political opinions, philosophical beliefs, ethnic origin, membership of trade union, sexual orientation related data, religious beliefs, and many more. 

There are basically 4 main elements of GDPR and they are –

  • Enhancement of rights related to personal privacy
  • Enhanced duty to protect data
  • Breach reporting becoming mandatory
  • High penalties due to non-compliance

Now, that you know the basic aspects of GDPR, it is now important for you to know the implications of these regulations before they actually get implemented within 6 months from now. It is especially important to check the implications of the new regulations on Cloud Services. Compliance with GDPR is all set to be a big challenge throughout all business verticals. 

For making all the required changes, organizations are required to make significant changes – right from increasing investment significantly to changing data management and privacy practices on both Cloud Services and on-premise IT. If you think that GDPR is yet another regulation that can be bypassed then you are wrong. In case, an organization fails to comply with these new regulations then it not only has to incur significant fines but also has to face reputational harm. 

IT related implications - both cloud and on-premise - of General Data Protection Regulation are discussed here –

  • Personal data copy - Explanation of data categories that are being processed, which includes biometric data, voice data, demographic data, browsing history, data regarding location, and many others. In fact, another important aspect that an organization gets is data processing purpose and most importantly information on any 3rd party that receives data.
  • Personal data rectification or correction – These regulations have implications for personal data correction requirement for individuals.
  • Rights related to deletion of information – Individuals may need to delete personal data when the purpose of the same is over. When this aspect comes to enterprises, this means that there is a requirement of removal of individual data when the need is from the individual’s side, especially when the consent is withdrawn by the individual. In such cases, the enterprise not only has to remove data of the concerned individual from production databases but also from archives, all kinds of back-ups, et al. 
  • Personal data processing objection – There have been many instances when data can’t be deleted simply because of the involvement of legitimate processes, which may include protection of rights of others, legal hold, or others. In such cases, the data need to be stored simply. 
  • Portability of data or movement of information – An individual should get personal data copy in a structured and most importantly in interoperable format so that the data controller is able to share the same with another controller of data. 

Besides these aspects there are many other implications and they are requirement of strict security, notification obligation breach, appropriate data processing consent, record keeping, confidentiality, transparency and easy policy accessibility, IT and training.