EU General Data Protection Regulation (GDPR): Whose Data Is It Anyway???
European Union (EU) Parliament had approved GDPR on April 14, 2016 after four years of preparation and must needed debates on shortcomings of Data Protection Directive.
GDPR shall be enforced from May 25, 2018 and will recommend heavy penalties on non-compliant organizations.
EU GDPR shall be replacing Data Protection Directive (95/46/EC) while establishing uniformity among different data privacy laws across Europe. GDPR enforces a different approach than the ones used by organizations across region towards data privacy issues concerning citizens.
GDPR shall aim to protect privacy of EU citizens while making data breaches extremely costly for defaulting parties. While maintaining same principles as that of the earlier directive regarding data privacy, GDPR has proposed the following key changes in the regulations:
Increased Territorial Scope
GDPR extends its jurisdiction to all organizations involved in processing data of data subjects (citizens) irrespective of their locations. Two categories of organizations (processing the data of EU citizens) have been proposed as controllers and processors and both have been brought under the ambit of GDPR irrespective of their locations with presence of EU representative on board in case of non EU locations.
GDPR proposes fines up to maximum 4% of annual global turnover or Euro 20 Million (whichever is greater) for organizations involved in most serious breach. Important point is that GDPR will not spare clouds from its enforcement.
GDPR has removed ambiguities in the processes of seeking consents from citizens and has mandated that consents should be sought through explicit and legible documentation. GDPR aims to empower the citizens for withdrawing consents without having to undergo cumbersome process.
Following rights of data subjects (citizens) have been proposed under GDPR:
GDPR will make notification of breach mandatory in all member states wherever data breach is likely to result in a risk for the rights and freedoms of citizens. This notification will need to be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
Right to Access
GDPR gives rightsto data subjects to ask the data controllers as to whether or not personal data concerning them is being processed, where and for what purpose.
Right to be forgotten
GDPR gives rights to data subjects (or citizens) to make data controllers erase their personal data, stop further dissemination of the data, and stop third parties from processing of the data.
GDPR has introduced data portability as the right for data subjects(citizens) to receive the personal data concerning them, which they have previously provided in a commonly used and machine readable format and have the right to transmit or port that data to another controller.
Privacy by Design
GDPR mandates for data controller to implement appropriate technical and organisational measures in an effective way to meet the requirements of this regulation and protect the privacy rights of data subjects.
Data Protection Officers
GDPR shall make appointment of Data Protection Officers mandatory for ensuring uniformity in data protection activities of controllers and processors.
EU is looking at exciting times ahead with control of personal data being placed back in the hands of its citizens. However, this has created a nightmarish scenario for controllers and processors, which are running against the time to ensure compliance on or before May 25, 2018. It will be interesting to witness the rollout of GDPR and its subsequent implications on data privacy in times to come.
–Dr. Tarun Kumar Singhal