General Data Protection Regulation
The plane of data protection and security has certainly changed in the European Union(EU) with the new and improved data protection regulation known as the GDPR(General Data Protection Regulation). GDPR was approved by the legislative bodies on April 14, 2016. The GDPR is all set to be enforced on May 25, 2018. The legislative bodies responsible for the legislative process are the European Commission, the European Parliament and the Council of Ministers of the European Union. Moreover, there were two advisory bodies that help put this legislation into effect. These were the Article 29 Data Protection Working Party and the European Data Protection Supervisor.
After the implementation of the regulation, all the companies storing and maintaining personal data of the European citizens, be it EU or non-EU citizens will have to comply with this regulation.
Prior to GDPR, the DPD(Data Protection Directive 95/46/EC) was in effect in the European Union(EU). Although the key principles of data privacy is the same for both directives, the GDPR is a more improved regulation set to replace DPD in sync with the present environment. It focuses to ensure data security to the EU citizens and enforce a stricter approach to data privacy.
What are data subjects and personal data basically?
According to Article 4(1) of GDPR, ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data subjects are all the people in the EU whose personal data is collected and can be identified by basic or online identifiers. The online identifiers include IP addresses, cookies or RF identification tags.
What happens if you don't comply
If you are an organization in breach of GDPR, you could be fined a maximum of a sum of 20 million Euros or 4 percent of annual global turnover(whichever is greater). The fine is the most severe punishment for the highest level of offense. Notice that for large companies that can pay 20 million Euros easily, the penalty will be 4 percent of annual global turnover that can sum up to much more.
However, the GDPR adopt a tiered approach for ensuring penalties in the case of a breach. Some of the penalties may include not notifying the supervising authority and the individuals about a breach or not having their records in order which can cost you 2 percent of your annual global turnover.
1. Right to be informed - It is the right of every individual to be informed about the collection and use of their personal data. The privacy information should be provided to all individual that contains the reason for collection of data, a period of retention as well as the purpose of sharing data to other sources.
2. Right of access - The individual can ask for the information about their personal data anytime such as the status of their data, where the data is being processed and for what purpose is it being processed. The data has to be provided to be individual in a human-readable format.
3. Right to rectification- All individual have the right to rectify their information or complete them in case it is incomplete. They can do so raising a request for rectification either verbally or in writing.
4. Right to erasure or Right to be forgotten - The individual has the right to request for the erasure of its data. The request for data erasure can be made verbally as well as in writing. However, it is not an absolute right and applies only in certain circumstances.
5. Right to restrict processing - Individuals have the right to restrict their personal data. Organizations have one month to respond to a request. However, the law is not absolute and applies in special cases.
6. Right to portability - This right enables the individuals to obtain and reuse their personal data for their own purposes. The organizations are expected to provide the data in a machine-readable format such as "csv" files.
7. Right to object - Individuals have the right to object to the way their data is being processed. Individuals can object if their data is being used for direct marketing, historical/scientific research or statistics.
8. Rights related to automatic decision making, including profiling - This right provides provision on profiling and automated decision making. Under the Article 22 of GDPR, the provisions are made to protect individuals from the organizations carrying out automated decision making that has legal or significant effects on individuals.
You can study these rights in detail by clicking on the following link.
Who does GDPR affect?
Article 3 of the GDPR mentions all the organizations that must comply with the GDPR. The key areas are discussed below.
1. Any organization (data controller or processor) in the European Union is subject to GDPR, irrespective of whether the processing is taking place in the union.
2. Any organization (data controller or processor) not established in the European Union but processing the personal data of individuals in the Union.
Under this regulation, the processing can be related to the offering of goods and services or the monitoring of their behavior.
This law essentially covers most global organizations because all major organizations of the world have individuals of EU as their user base. Now, they can either separate the users of EU and apply this GDPR to them or apply the regulation altogether to all its users.
Guidelines for Organizations to prepare for GDPR
If you are an organization that comes under the GDPR regulation rights, the ICO(Information Commission's Office) has provided you with a 12-step guide for you to prepare for GDPR.