Commonly known as data protect

ion principles, the GDPR sets out seven key principles. These are: accountability, transparency, data minimization, storage limitation, purpose limitation, accuracy, integrity, and confidentiality.

These principles are designed to protect the personal data of individuals and ensure that it is processed in a fair, transparent, and accountable manner. GDPR compliance is essential for any organization that processes personal data, and failure to comply with the GDPR principles can result in significant fines. As a result, it is important for organizations to ensure that they have adequate GDPR compliance procedures in place. By adhering to the GDPR principles, organizations can help to protect the personal data of their customers and employees, and ensure that it is processed in a fair and transparent manner. Commonly, these are also known as data protection principles.

It is key to note that the accountability principle meant that the EU data protection legislation mandated that it is the responsibility of an organization to demonstrate compliance with the principles of GDPR. It is the organization that is to demonstrate how it is lawfully collecting and processing personal data.

Similarly, how is the purpose limitation being achieved? And, how about data minimization or accuracy? All this meant, that the organizations now have the burden of demonstrating compliance with GDPR principles.

GDPR requires that personal data breaches be notified to the supervisory authority and that too within 72 hours of becoming aware of such a breach. This new provision brought challenges and this meant a lot of organizations were panicking and of course the media. This was perceived to be a very strict requirement, even though some countries like the Netherlands already had mandatory notifications of data breaches. 

4 % of global revenue or 20 million Euros this meant a small organization which would be about half a million or 1 million Euros and could still technically get a fine of 20 million euros.

However, this created a lot of fear and a lot of anxiety saying. If an organization earning 1 million or half a million euros per year now gets fined 20 million Euros they will go out of business and there's this scaremongering or attention in the media on whether the law would kill small businesses also created a lot of buzzes. While the aspiration of GDPR was to harmonize the privacy compliance laws and modernize the practices, it was also essential because the world around us had changed from 1995 to now. For example, in 1995 the internet was still new and there were no smartphones. And, these days, now everything is digital and seems to be on the cloud.

In summary, the GDPR means:

• Putting the ownership of compliance with organizations.

• Providing authorities with powers like never before.

• Empowering individuals with rights and means to question organizations

All this is something that needs to be done retrospectively because some organizations, especially big tech almost had a free hand before. However, with the EU GDPR, they now need to take care of all these principles and requirements that are mentioned in the law.

While there were challenges in complying with the EU GDPR, there have been benefits as well. 

In the last few years, the reaction was it is a compliance thing we have to spend a lot of money. But if we look back now or especially in recent years, there have been studies that confirm there are business benefits based on compliance with EU GDPR.

Consequently, organizations are now starting to believe that privacy compliance brings them positive returns. A recent study by Cisco indicates that organizations confirm that they have achieved or received benefits at least twice their spending on privacy compliance.

Thanks to the media, the public is not more aware of privacy. Wherever you go wherever you talk, the public is talking about privacy. Even in countries where EU GDPR does not apply. In Covid, people are struggling for life and death but the debate is whether this is GDPR compliant? Or is this the end of privacy?

This is a very good sign because if GDPR can hold through these challenging times it will be very exciting times of course article 5 in GDPR allows for processing and even special powers to governments in case of a pandemic or epidemic.

Most organizations are now having a privacy department. This means an increased focus on privacy matters. As per CPO magazine, more than 75 percent of those surveyed told that they have at least one privacy professional onboard and 25 of them say they have a team of more than 10. Hence, most medium or large-size organizations is having a privacy officer or a privacy department.

While the small-sized are starting to look at something called a fractional privacy officer that means you don't need a DPO but you have somebody who is providing you privacy advice as and when you need it on a recurring basis and that's a model with which small and medium-sized companies are now going with. If you need help, you can always email us.

The creation of these privacy departments has meant a lot of jobs have been created certifications are being produced and consulting firms have made a lot of money, even the software vendors have started to come up and offer automation.

Now that you know what is EU GDPR, why it was a big thing, and what have been its benefits, let us understand a few terms that are crucial for the role your organization shall play in the context of EU GDPR.

In EU GDPR, your company can be playing the role of a Data Controller or Data Processor. So, what do we mean by this, and why does it matter

If your organization decides on what personal data to collect, and what to do with that data, your organization is a data controller as per EU GDPR  And if you

r organization does not decide on what personal data to collect, and what to do with that data, but merely acts upon instructions of another organization, then your organization is a data processor as per EU GDPR. 

So, as you plan to comply with the principles and requirements of EU GDPR, it is key that you know what role your company has in a processing activity.

In essence, we are transforming into a digital entity. In this digital age, new privacy rules are needed to reflect the extent and depth of change that has occurred over the last few decades. While the change we experienced was gradual, the change in privacy legislation happened all at once. This indicates that corporations will have to make modifications in the future to consider or respect privacy. However, GDPR or more generally, the importance of compliance with privacy laws is likely to grow.

If you’re not familiar with GDPR yet, now is the time to learn what it is and why it matters. Ignorance of this new law could result in hefty fines for your company – so don’t let that happen! Email us at hello@fit4privacy.com if you need help in getting compliant with EU GDPR. We can walk you through everything you need to know to make sure your business is ready. And, if you like to learn by yourself, take advantage of our Elite Privacy Masterclass for small businesses.

Punit Bhatia is one of the leading privacy experts who has worked with professionals in over 30 countries. Punit works with CXOs and DPOs to identify and manage privacy risks, and create and implement privacy strategies in a world that is digital, AI-driven, and has data in the cloud. Punit helps you to create a culture of privacy by establishing a privacy network and training management. Selectively, Punit is open to being a privacy advisor or coach for you.

Punit Bhatia is the author of four privacy books including the books “Be Ready for GDPR” and “AI & Privacy”. Punit is a global speaker who has spoken at over 50 global events and is a host /creator of the FIT4PRIVACY Podcast which has been ranked amongst the top GDPR podcasts in 2020 and 2021.

Punit is also a board member at ISACA Belgium Chapter and DPO Circle. In past, he served as a Training Advisory Board member at IAPP.

Punit is known to use simple business language while avoiding legal jargon. Punit is a certified Fellow in Information Privacy (FIP), CIPM, COP, and CIPP-E