Until now, the minimum standard for processing data in the European Union was the Data Protection Directive of 1995. This has been replaced by GDPR or General Data Protection Regulation. GDPR is often called as the most important data privacy regulation in the last 20 years. The EU Parliament approved and enforced it on April 2016 and 25 May 2018 respectively. It applies to organisations across the world since this date.
GDPR is designed to give EU citizens more control over their personal data. It will empower them to demand companies to reveal or delete the personal data they hold. Under the terms of GDPR, organisations will have to ensure that they gather personal data legally and under strict conditions. The organisations that collect and manage will be also obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners – or face penalties for not doing so.
The aim of GDPR is to simplify the regulatory environment for business in such a way that both citizens and businesses in the European Union benefit from the digital economy. Because GDPR is a regulation and not a directive, European countries will not have to draw up a new legislation. Instead, it will apply automatically.
What was the need?
‘Free’ services from the likes of Google, Facebook and Twitter exchange a wide range of personal information from names and email addresses, to political leanings and sexual orientations. Till now this data was only collected but recently it has been found that this data was traded as well. They process and compile user information and send it to third parties, without the user’s permission. Potential consequence of such a practice was demonstrated by Facebook’s Cambridge Analytica data leak. Millions of users’ data was used, allegedly to influence the outcome of the 2016 US election.
Until now, companies used confusing terms and conditions and passive opt-out tick boxes. Such tactics made it difficult for people to understand what exactly was happening and which information they were giving up. To comply with GDPR rules, the companies have to take consent in an active and affirmative way from the data subject. Earlier they practiced taking consent under passive acceptance model that used pre-ticked boxes or opt-outs.
To whom does GDPR apply?
GDPR applies to all those organisations that control or process personal data relating to EU residents. Organisations don’t have to be necessarily based in the EU to be obliged to follow GDPR. Even if they are processing or holding data of EU residents, GDPR to applies on them. To escape GDPR, firms based outside the EU can install location filters that block traffic from the EU.
What does personal data under the GDPR mean?
Under the current legislation, personal data include name, address, and photos. Law makers have extended the definition of personal data in such that IP address and related concepts so that many domains come under its ambit. It also includes sensitive personal data such as genetic data, and bio-metric data. Such data can be processed to uniquely identify an individual.
The ‘right to be forgotten’
GDPR allows individuals to ask data storing and processing companies for the right to be forgotten. They can do so because they are not on the same page as the organisation on how it is processing their information. It can also be simply because they don’t want their data to be collected anymore. People can also have their data deleted if they feel that it is not relevant anymore. Or that the company storing it no longer needs it for the purpose they collected it for. The controller is responsible for telling other organisations to delete any links to the copies of that data, as well as the copies stored anywhere else, themselves.
What are the GDPR fines and penalties for non-compliance?
Companies that fail to comply with GDPR can be fines with a maximum fine of 10 million Euros or 4% of the company’s annual global turnover. The latter could mean billions of dollars for tech giants who have market capitalization of billions or even trillions of dollars. Depending on your role in collecting or processing that data, the regulation will view you as either a data controller or a data processor.
Data Protection Officer
Under the terms of GDPR, an organisation must appoint a Data Protection Officer (DPO) if it carries out large-scale processing of special categories of data. The organisation will also have to do the same if it carries out large scale monitoring of individuals such as behavior tracking or is a public authority.
GDPR-compliant breach notification
If a company loses data as a result of a cyber-attack, human error etc, it will be obliged to deliver a breach notification. This includes approximate data about the breach, categories of information and number of individuals compromised as a result of the incident and approximate numbers of personal data records concerned.
Organisations will also have to provide a description of the potential consequences of the data breach, such as theft of money, or identity fraud. Along with all this, it will have to provide a description of the measures taken to deal with the data breach and to counter any negative impacts the individuals might face.
GDPR affects every company, but it will hit the hardest to those that hold and process large amounts of consumer data. Mainly technology firms, marketers, and the data brokers who connect them. But the largest impact will be on firms whose business models rely on acquiring and exploiting consumer data at scale.
At first GDPR might seem complex, but a large chuck of the legislation is taken from UK’s Data Protection Act. Some elements of GDPR such as breach notification and ensuring that someone is responsible for data protection which organisations need to address, or run the risk of a fine. Each business will have to examine how they comply with the rules.