The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). When the GDPR takes effect, it will replace the data protection directive. The regulation was adopted on 27 April 2016 and will become enforceable from 25 May 2018.
This blog is an attempt to highlight few very basic and fundamental things related to this regulation:
Who It Covers
Under this regulation, any organization that gathers personal data from a data subject is considered a data controller. Data processors are organizations that process data for a data controller, like a payroll processor or a cloud service provider. GDPR applies equally to both data controllers and to data processors (included for the first time). Data controller have to document the purposes for which they are collecting the data, how and why they will use or process the data and with whom they will share it.
Single set of rules and one-stop shop
A single set of rules will apply to all EU member states. Each member state will establish an independent Supervisory Authority (SA) to hear and investigate complaints, sanction administrative offences, etc. SAs in each member state will cooperate with other SAs, providing mutual assistance and organizing joint operations. The lead authority will act as a “one-stop shop” to supervise all the processing activities of that business throughout the EU.
Data Breach Notification
Data controllers are required to notify data subjects of any breach that poses a risk to the privacy or security of their data. Such notification must typically happen within 72 hours of the breach being discovered. Processors similarly are required to inform controllers of any breach without undue delay. GDPR also requires entities to report a breach to the appropriate data protection authority in their country.
The sanctions that can be imposed under GDPR are very strict. While one may get warning in writing in cases of first and non-intentional non-compliance, in other cases fine may go in slab of 10,000,000 EUR or up to 2% of the annual worldwide turnover of the preceding financial year, whichever is greater. In certain cases, it can go up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater.
Data Protection by Design and Default
GDPR requires organizations handling EU data to incorporate privacy by design and default into their products and services. This means that organizations need to think about and implement appropriate technical controls and organizational processes for minimizing data collection and for protecting data from the outset rather than bolting on the controls later.
The law requires data controllers to conduct privacy impact assessments (PIA) in certain situations where there is a high risk of identity exposure or misuse.
GDPR encourages organizations to pseudonymise personally identifiable data or to essentially render it in a form that makes it impossible for anyone to directly identify individual data subjects. An example of pseudonymisation is encryption, which renders the original data unintelligible and the process cannot be reversed without access to the correct decryption key. The GDPR requires that this additional information (such as the decryption key) be kept separately from the pseudonymised data.
Individual Right To Data Access
Data subjects can ask for and obtain a copy of all personal data held about them by the data controller. Upon demand, organizations will be required to confirm to individuals whether or not personal data about them is being processed, where it is being processed and for what purpose.
Organizations will need to provide the requested data in electronic format and typically for free, except in situations where an individual might be making excessive or unreasonable demands. EU citizens can ask data controllers to rectify any incorrect or incomplete information about them.
The Right To Data Portability
GDPR gives EU residents the right to ask data controllers to transfer personal data to another controller, where technically feasible. The statute requires controllers to provide the requested data in a structured, standard, machine-readable format.
Right To Be Forgotten
The GDPR legalizes the right for data subjects to ask organizations to erase personal data about them. It gives them the right to ask data controllers to also stop the dissemination, sharing, or processing of their personal data with others.
When considering data erasure requests, data controllers will need to first verify if there is a public interest in the data continuing to be available, before erasing it.
Data Protection Officers
Public authorities and organizations whose core activities involve the systematic monitoring or processing of certain types of data, such as that revealing an individual’s racial or ethnic origin, religious or political beliefs will be required to appoint a Data Protection Officer.
The DPO’s role will be to inform and to advise the data controller or data processor about their obligations under GDPR and to monitor compliance with those requirements.
A core part of this control is consent. Organizations that collect, store, and process individually identifiable data on EU residents will need to obtain informed consent from data subject. The request for consent will need to be clear and in plain language, stripped away of all legaleze and jargon, explaining the purpose of the data processing for which the consent is being sought. Importantly, organizations will need to make it as easy for an individual to withdraw consent, as it is to give consent.
By:- Aman Chhikara