‘Data’ is the new buzzword of the digital world we live in today. Fundamentally, almost every aspect of our lives revolves around data. From social media, to banks, retailers, and governments. Almost every service we use involves the collection and analysis of our personal data.
The growing number of data privacy breaches that have been reported globally in recent times, has only increased the insecurity amongst the users over the years.
Regulations guarantee that data protection safeguards are built into products and services from the earliest stage of development, providing ‘data protection by design’ in new products and technologies.
The GDPR is one such step taken to tackle this dire situation.
The acronym GDPR stands for General Data Protection Regulation, and its implementation signaled a turning point for privacy protection in the new era of big data.
The GDPR created a consolidated data protection legal framework across all European Union member states (EU), plus Iceland, Lichtenstein, Norway, and Switzerland, which are part of the European Economic Area (EEA) single market.
It was implemented on May 25, 2018 and is one of the most wide-ranging legislation passed by the EU. The intent of introducing GDPR was to standardize data protection law across the single market and give people greater control over how their personal information is used.
Let’s try to understand what is contained in this very critical regulation.
1) Personal data
Article 4 of the GDPR defines personal data as ‘any information relating to an identified or identifiable natural person’. The GDPR expands the definition of personal data to include all information that could be used to indirectly identify individuals. So any data that helps in identifying a person directly or indirectly classifies as personal data. Examples of personal data include:
ID numbers
IP addresses and cookie IDs
HR records
Customer contact details
CVs and employment details
CCTV and call recordings
Businesses cross into personal data when a third party can take information from said business, put it with other data, and figure out individual identities. For example, say your company knows that Alice pays property tax of $1,000 in Capital City. Suppose a third party can access a public piece of data and finds that only one Alice resides in Capital City. In this case, that information is personal data, because Alice can indirectly become identified.
A sub-category of personal data requires enhanced data protection measures due to its sensitive and personal nature. Special category data includes data that reveals a data subject’s:
Racial or ethnic origin.
Political opinions.
Religious and philosophical beliefs.
Trade union membership.
Genetic data.
Biometric data for the purpose of uniquely identifying a natural person.
Data concerning health.
Sex life and sexual orientation.
2) Who does the GDPR apply to?
Any European citizen who has their data collected by a company is a data subject under the GDPR. There are two different types of data-handlers the legislation applies to: ‘processors’ and ‘controllers’.
A controller is a “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data”, while the processor is a “person, public authority, agency or other body which processes personal data on behalf of the controller”.
The GDPR applies to businesses that target EU data subjects in the following instances:
a) offering goods or services
b) monitoring online behavior.
3) What is GDPR Compliance?
To be GDPR compliant, means ensuring data is collected, used, and stored legally. This includes gathering consent from data subjects, disclosing why information is collected and how it is used, and keeping the data secure.
Also, to become compliant, public authorities and companies that process data on a large scale need to employ a Data Protection Officer (DPO) to oversee their processing activities.
In addition, any company that engages in high-risk data activities, such as processing special categories of personal data (like biometric or genetic data), must complete a Data Protection Impact Assessment (DPIA).
4) The Seven Core GDPR Guidelines
GDPR has seven key principles that dictate how businesses process data to conform to new EU data protection standards.
1. Lawfulness, fairness, and transparency: Data processing must be legal, and the information collected used fairly. It must also not mislead users about how their data is used. To comply with this principle, GDPR provides six legal bases for processing:
Consent: The data subject has given permission for the organization to process their personal data for one or more processing activities
Performance of a Contract: The data processing activity is necessary to enter into or perform a contract with the data subject.
Legitimate Interest: If legitimate interest is used as a legal basis for processing, the organization must perform a balancing test: is this processing activity necessary for the organization to function? Does the processing activity outweigh any risks to a data subject’s rights and freedoms? If the answer to either of those questions is “no,” then the organization cannot use legitimate interest as its legal basis for processing.
Vital Interest: A rare processing activity that could be required to save someone’s life. This is most commonly seen in emergency medical care situations.
Legal Requirement: The processing activity is necessary for a legal obligation, such as an information security, employment or consumer transaction law.
Public Interest: A processing activity that would occur by a government entity or an organization acting on behalf of a government entity.
2. Purpose limitation: The purpose of processing must be clear from the start, recorded, and only changed if there is user consent.
3. Data minimization: Only data required for the stated processing purpose should be collected.
4. Accuracy: Reasonable steps must be taken to ensure the collected data is accurate and up to date.
5. Storage limitation: Data shouldn’t be kept longer than necessary.
6. Integrity and confidentiality: Appropriate cybersecurity measures must be put in place to protect the personal data being stored and to avoid data breaches.
7. Accountability: Organizations are accountable for how they handle data and comply with the GDPR.
5) What is GDPR breach notification?
In case of any compromise of user data, the organization is obliged to report data breaches to the ones affected as well as the relevant regulatory body so everything possible can be done to restrict the damage. The reporting must be done within 72 hours.
This needs to be done via a breach notification, which must be delivered directly to the victims. This information shouldn’t be communicated only in a press release, on social media, or on a company website but must also be a one-to-one correspondence with those affected.
6) GDPR Data Subject Rights
GDPR has empowered users by giving them an array of new rights regarding their personal data.
These are as follows:
The Right to be Informed: The GDPR emphasizes transparency in data collection practices, meaning individuals have the right to be fully informed about the collection and use of their personal data.
The Right of Access: Individuals can request to view any personal data that has been collected from them. They must also be told why the information was collected and to whom it has been disclosed. This information must be provided within one month and be free of charge.
The Right to Rectify Information: If data collected about an individual is inaccurate, the individual has the right to request a correction (rectification). The organization processing the data must respond within one month, and they must correct the information. A data subject can also request the completion of incomplete information.
The Right to Erasure / The Right to be Forgotten: After information has been collected about them, individuals can request it be permanently deleted, either because the data is no longer relevant or because the user chooses to withdraw their consent.
The Right to Restrict Data Processing: An individual can request to limit how their data is processed when certain conditions apply, such as if the processing is unlawful or if the individual has objected to it.
The Right to Data Portability: When users request to view their data, they must receive it in a clear format. The controller who provides this information cannot prevent or impede the data subject’s ability to give the data to another controller. In essence, personal data must easily transfer to another organization.
The Right to Object: Individuals can object to the processing of their data in certain situations, such as direct marketing.
Automated Individual Decision-Making: Individuals have the right not to be subject to an automated decision-making process that has significant personal effects, like profiling.
7) What are the Consequences of Violating the GDPR Regulation?
There are two tiers of fines for violating the GDPR.
a) Companies that breach the regulation face a maximum penalty of €24 million ($23 million) or 4% of their annual global turnover (whichever is higher).
b) Less severe infractions top out at €10 million ($12 million) or 2% annual global turnover.
Enforcement doesn’t have to come in the form of a fine. Authorities can also issue a public reprimand or place restrictions on activity, like banning a company from processing the data of GDPR subjects.
8) What Does GDPR Mean for the future?
An April 2020 study by McKinsey found that consumers trust companies that don’t ask for too much personal data and react quickly to data breaches. With the GDPR leading the charge to regulate the flow of data, the future of privacy will be shaped by those who make data protection a priority today.
One of the major changes GDPR brings is providing consumers with a right to know when their data has been hacked. Organizations are required to notify the appropriate national bodies as soon as possible to ensure appropriate measures are in place to prevent their data from being misused. Consumers are also promised easier access to their personal data in terms of how it is processed, with organizations.