GENERAL DATA PROTECTION REGULATION (GDPR)
The new EU General Data Protection Regulation (GDPR) laws are scheduled to come into effect on May 25th, 2018. Both the GDPR and proposed UK Data Protection Bill will make tremendous changes to how businesses collect, process and make use of an individuals personal data. Because of this, businesses are now scrambling to see how this will affect the way they do business and how they handle customer information.
The EU GDPR replaces the Data Protection Directive 95/46/EC and has been designed to protect and empower the data privacy of all EU citizens and change the way organizations across the region approach data privacy. Once the legislation is brought into effect, it will provide greater control to the European citizens as to how, where and for what purpose their personal data is being used and as well as certain norms that will provide rights for easier access to their personal data which could be anything like name, home address, photograph, bank account details or medical information etc.
GDPR does not apply to the personal data being used for national security reasons or law enforcement. However, as a part of this new regulation, there is a separate Data Protection Directive for the police and criminal justice department that lays down very stringent rules on the exchange of any personal data at any level regardless of whether its National, European or International.
THE KEY ASPECTS OF GDPR
The main aim of GDPR is to protect the EU citizens from any kind of data breaches that can compromise the privacy of an individual. Below are the key changes and discussion on how they will impact individuals and businesses once brought into effect.
- Impact on Businesses – Increased Scope in terms of Regions where the Law will apply as there has been an expansion in the scope pertaining to what regions the new laws applies in. We are talking about the extended jurisdiction of GDPR and it now applies to all the companies processing the personal data of individuals residing in the EU, irrespective of where the company is located. Previously, it used in context of the establishment, which resulted in a lot of ambiguity regarding the scope of the laws applicability. Now it does not depend on whether the processing of data is taking place within the EU or not and whats important is that the data subjects should reside in EU.
- Conditions for Consent – The rules around conditions for obtaining consent are more stringent than before now. The request for consent needs to be given in clear and easily understandable terms. It should be in the form of an easily accessible and comprehensive form with everything mentioned in clear, concise and simple language. And it will also be important to attach the purpose of data processing along with the consent form. For processing the personal data of a children, it is required that they should be at least 16 years of age. If the child is below the age of 16 years, then the processing of personal data will be considered lawful only if and to the extent that consent is given or by the holder of parental responsibility over the child.
- Heavy Penalty for Non-Compliance – An organization that does not comply with the new legislation will incur a huge penalty that can be as high as 4% of annual global turnover or $20 Million (whichever is greater). So one can imagine the amount of money any big organization (such as Google or Apple) with a huge global turnover can end up paying as fine if there are serious infringements like not taking the consent of the customer while processing personal data and violating privacy.
DATA SUBJECT RIGHTS
- Privacy Breach Notification – Under the changes in the law, it will be mandatory to provide a data breach notification to the concerned data subject, clearing specifying what has happened. Moreover, this must be done within 72 hours of becoming aware that a privacy/data breach has happened.
- Right to be Forgotten – This is also known as Data Erasure. It entitles the data subject to have the data controller completely delete all of the personal data in their possession and stop any further processing or distribution of data in any form.
- Data Subject Access Requests – The data subjects will be able to submit Data Subject Access Requests to the organizations and data controllers wherein they will have the right to enquire about anything related to their personal data – whether the organizations hold any of their personal data, for what purpose it is being held, how and where it is being processed etc. Moreover, the controller also needs to provide a copy of the personal data, completely free of cost to the data subject, in an electronic format. The data controller is also obliged to respond within 30 days of receiving such a request.
- Privacy By Design – This concept implies that the data protection aspect should be taken into consideration right from the initiation and inception of system design and should not be considered as merely an addition. The law states that – ‘The controller shall..implement appropriate technical and organisational measures..in an effective way.. in order to meet the requirements of this Regulation and protect the rights of data subjects’. Article 23 of the law also states that organizations should hold and process only the data that is absolutely necessary for completing their tasks, a concept called Data Minimization.
- Data Portability – GDPR also introduces data portability wherein the data subjects can request back the personal data that they had initially provided and transmit the same to another data controller.
- Data Protection Officers – Currently, data controllers must report all of their data processing activities to local DPAs which can be very difficult. Under GDPR this will not be necessary anymore. Instead, there will be a need for internal record keeping and DPO appointment will be mandatory.