Facebook data scandal has reignited the debate around data protection and data privacy all over the world. With an eye on the May 2018 enforcement of General Data Protection Regulation (GDPR), business models will now need to be altered by companies dealing with data of EU nationals.
GDPR aims to unify the regulation on data protection within the EU and was created to give the control of data back to the user. Formulated in April 2016, EU had given two years of time to companies to comply with GDPR regulation guidelines which is now set to roll out on May 25, 2018.
#1. GDPR will replace the existing EC 95/46, a Data Protection Directive adopted in 1995. This transition from a directive to a regulation is a significant step, one that will be binding on all countries dealing with data of EU citizens.
#2. Once GDPR is enforced, companies will be required to provide clearly distinguishable consent terms while seeking data from individuals. The GDPR Regulation states,
“Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.”
#3. Every data processing activity whether done through automated or non-automated means will come under the ambit of GDPR.
#4. Data controllers and data processors will now have to stick to the purpose for which data is being collected and cannot use it for any other purpose without user consent.
A data controller is defined as someone who determines the purpose and means of processing personal data.
As per Article 4 of the GDPR Regulation,
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
A data processor is responsible for processing the personal data on behalf of the data controller. GDPR’s Article 4 defines the term processor as,
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
#5. Any data processing activity that cannot be tied back to an identified or identifiable person will not be covered in GDPR.
#6. Even if a user has provided consent to share his/her data to the collector’s partner ecosystem, the user can still revoke this consent at any point in time. Any request for data erasure coming from such users will then have to be honoured by the data collector.
#7. In continuation with the preceding point, when it comes to data erasure, companies should not limit itself to just deleting data files. They must also ensure that the erased data is irrecoverable using software solutions.
#8. Under the new GDPR regulation, companies now have the responsibility to notify regulators and users within 72 hours of discovering a breach.
#9. Non-compliance w.r.t GDPR regulations would result in a fine of 10 million EUR or 2% fine of the annual turnover whichever amount is higher. Fines to be stiffer i.e. 20 million EUR or 4% of the annual turnover (higher amount of the two) in case of a serious breach of the core tenets of GDPR e.g. not taking consent from a user while storing/processing data.
#10. Lastly, one of the most impactful of changes in GDPR pertains to the rights of the user whose data is being collected. If the data subject believes that his/her data is being collected and/or processed unlawfully they have the right to get their data ‘erased’ in some circumstances. When the subject users inform the data collector about this right, the latter will then have to respond in 30 days.
There is a lot of confusion regarding whether Indian companies will be impacted with the implementation of GDPR or not. It needs to be remembered here is that if an Indian company processes personal data of any customer in the European Union, it will have to abide by GDPR.
Indian companies before going ahead and processing any such data will have to take explicit approval from the customer.
Even a large IT Services company headquartered in India but having a sales office in any country in the EU will be subjected to the GDPR regulations.
A must watch is this video where KPMG’s Paul Toner, Head of Management Consulting, where he highlights 3 tips for organizations who are not ready for GDPR.
Here’s what PwC recommends on what you need to do to comply with the GDPR Regulation:
To get more details and understand the impact of GDPR in India,
read the complete EU GDPR Regulation.
The importance of data protection cannot be understated in today’s times. Companies will have to ramp up efforts to meet guidelines to ensure compliance with GDPR and other local data protection safeguards set in place by governments the world over. This is the era of the consumer and regulatory bodies the world over are leaving no stone unturned in giving the control of information back to the user.