General Data Protection Regulation - Explained

In 2012, the European Union (EU) lawmakers decided to modernize the data protection and privacy rules present across the 28 EU state blocks. The proposal was drafted to boost individual rights and give consumers greater control over their data in the digital economy. After more than four years of negotiations with various institutions in the EU, the General Data Privacy Regulation (GDPR) was passed in the parliament in 2016. GDPR superseded the Data Protection Directive issued across the EU in 1995.

To give companies time to prepare for its provisions, it was decided that the regulation would come into effect from 25 May 2018.  

What is GDPR?

It is the new data protection law put in place across the European Union (EU) to safeguard the personal information of European Citizens. GDPR’s 99 Articles spell out an individual’s data rights and also the obligations companies should fulfil to achieve compliance. Any company that fails to do so either has to pay a penalty or cut ties with European citizens.

Does Brexit affect GDPR?

Just a few months before the roll out of GDPR, the UK passed a new data privacy regulation called the Data Protection Act 2018. Its laws are identical to the ones found in GDPR. However, post-Brexit, companies dealing with data travelling across the European Economic Area and the UK are likely to face some friction. To avoid such issues, the UK is trying to get an adequacy certificate from the EU stating that the UK’s Data Protection Act is similar to that of GDPR.

Who is responsible for the enforcement of GDPR in the EU?

The European Data Protection Board (EDPB) is the body that rolled out GDPR across all the 28 EU member states. It’s made up of the heads of the Data Protection Agencies (DPA) of the different states. Each state has one DPA and each DPA is an independent public authority. They are tasked with the implementation of the privacy law in companies and public organizations under their jurisdiction.

Who is affected by GDPR?

GDPR applies to individuals, businesses and public organizations dealing with the personal data of European citizens. GDPR requires both data controllers and data processors to comply with its requirements. Data controllers are entities who decide the purpose and ways to process data. Data processors perform data processing on behalf of the data controller. Let’s take an example of a business website. Now, if the business collects visitor information, it then becomes a data controller. If it uses a tool like Google Analytics to gain insights from the collected information, then Google Analytics becomes a data processor for the business.  

What data is protected by GDPR?

GDPR segregates the personal information of an individual into two buckets: Personal data and Sensitive personal data. Personal data includes any data through which a living person can be identified directly or indirectly. Names, physical addresses, IP addresses and pseudonymized data fall in this bucket. Pseudonymized data refers to data that is encoded with artificial identifiers such as an alias. It’s similar to writers using pseudonyms to hide their identities. Sensitive personal data includes trade union membership details, political opinion, sexual orientation and other information.       

How can businesses comply with GDPR?

GDPR has overhauled the way businesses handle user data. It requires businesses to:

1. Have data protection policies in place
   
2. Maintain clear documentation of how data is being processed
   
3. Possess data impact assessments.
   
4. Simply put, businesses should have clear records of what information they hold, what they are doing with it, and how they are legally processing it.
   

Under GDPR, large scale (companies with more than 250 employees) data processors and controllers must appoint a Data Protection Officer (DPO). The DPO reports to the senior members of staff. The Data Protection Officer’s responsibilities include:

1. Conducting periodic security audits to ensure compliance with GDPR
   
2. Educating employees about compliance
   
3. Training staff involved in data processing
   

Further, under GDPR, data controllers and processors have to report to their respective DPAs any security incident that results in a user’s data being lost, stolen or accessed by an unauthorized third party. It should be done within 72 hours of them being aware of the incident.

However, not all data breaches need to be reported. Only those that put an individual’s ‘rights and freedoms’ at risk need to be notified to the DPA. For low-risk breaches, it’s enough to document them internally along with the reason as to why it was not reported to the DPA.

Giving Back Control to Consumers

GDPR has strengthened consent requirements. Barring few exceptions (e.g running a campaign in public interest or compliance with a legal law of EU), companies have to communicate to users why their data is being processed.

And most importantly, GDPR ensures consumers who have consented to their data being processed have complete control over them. That’s where the host of rights come into the picture.

Consumers have the right to access data. They can place a Subject Access Request (SAR) to fetch the data a company holds about them. SAR is not a new concept. It was already present in the 1995 Data Protection Directive – the one GDPR replaces. However, back then consumers had to pay a fee of 10 Euros every time they placed a request. GDPR scrapped that fee and made sure people can access their data without paying for it.

Moreover, on receiving a SAR, a company has to furnish all the data they have about the individual within 30 days. .

Other rights an individual can leverage include the right to rectify inaccurate and incorrect personal data, and the right to restrict processing and the right to withdraw consent at anytime. The 30-day time limit applies to all individual rights requests.

Consumers even have the right to ask for their data to be erased (right to be forgotten) under certain circumstances including:

1. If the purpose of the data obtained has been fulfilled
   
2. The data was unlawfully processed
   
3. The Consumer simply doesn’t want the organization to hold his data
   
4. To respond to the individual requests swiftly, organizations need to put in place the necessary processes that’ll help them identify, edit, access and delete data.
   

GDPR Fines

One of the biggest talking points of GDPR has been its hefty fines for cases of non-compliance. When a company fails to process personal data according to the laws, it will be fined. When it encounters a breach it’ll be fined. Any issue that violates the laws of GDPR will lead to a fine.

The fines issued will depend on the magnitude of the violation. GDPR refers to violation of certain Articles as ‘less severe infringements’ and violations of others as ‘more serious infringements’. For ‘less severe infringements’, firms will be fined 10million euros or 2% of the global turnover of the preceding financial year, whichever is greater. For ‘more severe infringements’ firms will be fined 20 million euros or 4% of the global turnover of the preceding financial year, whichever is greater.

Speculation has been rife that GDPR authorities introduced hefty fines to issue business-crippling penalties to companies that aren’t in their good books. But Elizabeth Denham, UK’s Information Officer, responsible for implementing GDPR in the UK, says such claims are just rumours.  She further adds that her team is closely working with organizations to help them implement GDPR. They only want to penalize companies that don’t respect the privacy of individuals.

Final Thoughts

GDPR is certainly a big step up compared to the law it replaces. It has given users greater control over their data and has made businesses and public organizations treat user privacy seriously. GDPR’s exhaustive regulations might seem overwhelming. However, it has been crafted that way to help companies realize GDPR compliance is a process and not a one-off event. 

• Related Articles

• Next-Generation Firewalls - Explained

  Next-generation firewall (NGFW) At a very basic level, a firewall can be defined as a network security system, either an equipment, a software, or both, that controls the traffic flow between a trusted network (say an enterprise LAN) and an insecure ...

• Smart Speakers and Privacy: Explained

  Privacy Concerns with Smart Speakers Eavesdropping is a sensitive concern. Would you let strangers eavesdrop at your home and store the recordings? No, right? Yet, that is what smart assistants like Siri, Google Assistant or Alexa are doing to ...

• What we've Learnt from GDPR

  GDPR’s stringent regulations have ensured businesses can no longer be ignorant about how they obtain, process and store data. Now businesses need to have a legitimate reason to collect and use data. They also need to delete the data once its intended ...

• Cybersecurity Trends to Lookout for in 2021

  Current trends in Cybersecurity: Blockchain, biometrics, GDPR and more In this digital age, all our online activities leave trails. In spite of privacy-related incidents that have affected businesses and individuals alike, very little has gone into ...

• Why is Multi Factor Authentication Important?

  In the real world, proving your identity is easy and straightforward. When you show up in person to open a bank account, or book a hotel, you present your government-issued ID so that the company you are dealing with, can physically see that you are ...