The General Data Protection Regulation (GDPR), drafted and passed by the European Union (EU), is the world’s most stringent law on data protection and privacy. GDPR is applicable to all organizations and companies (even if they are not situated in the EU) if they target, collect or store data of people under the jurisdiction of EU. GDPR replaced the Data Protection Directive 95/46/EC and came into effect on 25 May, 2018. The provisions of GDPR levy extremely hefty fines on violation of its privacy and security standards, with penalties up to millions of euros.
Europe set into a new territory of statutorily defined and strict stance on preventing data breach. The GDPR’s primary objective is to shift control of the personal data from the companies to individuals whose personal data is being processed, and to simplify and regulate the environment of international business by a uniform legislation within the EU. The regulation is a holistic and encompassing legislation which covers small and medium-sized enterprises (SMEs) as well.
History of the GDPR
The right to privacy was introduced in the European Convention on Human Rights in 1950, which motivated the European Union to establish a broad legislation for the protection of data privacy. The Convention states, “Everyone has the right to respect for his private and family life, his home and his correspondence.”
As technology became more advanced and almost ubiquitous in our lives, EU recognized the need to replace obsolete legislations with modern guidelines. It passed the European Data Protective Directive which established minimum standards of data privacy and protection. But this Directive fell short of the rapidly growing outreach of internet. The first banner ad appeared online in 1994. By 2000, a huge number of financial institutions had started to offer online banking. Facebook became available to the public in 2006.
The first major report of data breach surfaced in 2011, when a Google User sued the tech giant for scanning her emails. Two months later, it was declared that EU needed “a comprehensive approach on personal data protection”, and improvements were initiated on the 1995 Directive. The GDPR entered into force in 2016 after it was passed by the European Parliament. From the moment it came into force on 25 May, 2018, all companies and developers were required to comply with its provisions.
It is important to note that GDPR applies to you even if you are not in the EU. If you process the personal data of EU citizens or residents, then you are legally required to be compliant. Some of the salient definitions under the GDPR are as follows:
Personal data: Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous data can also fall under the definition if it’s relatively easy to ID someone from it.
Data processing: Any action performed on data, whether automated or manual. The examples cited in the text include collecting, recording, organizing, structuring, storing, using, erasing, etc.
Data subject: The person whose data is processed. These are your customers or site visitors.
Data controller: The person who decides why and how personal data will be processed. If you’re an owner or employee in your organization who handles data, this is you.
Data processor: A third party that processes personal data on behalf of a data controller. The GDPR has special rules for these individuals and organizations. They could include cloud servers like Tresorit or email service providers like ProtonMail.
Data Protection Principles
1. Lawfulness, fairness and transparency: Processing must be lawful, fair, and transparent to the data subject.
2. Purpose limitation: You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
3. Data minimization: You should collect and process only as much data as absolutely necessary for the purposes specified.
4. Accuracy: You must keep personal data accurate and up to date.
5. Storage limitation: You may only store personally identifying data for as long as necessary for the specified purpose.
6. Integrity and confidentiality: Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
7. Accountability: The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.
How to Maintain Accountability
GDPR states that data controllers and processors should be able to demonstrate that they are GDPR compliant. You can maintain accountability to your users by following means:
· Designate data protection responsibilities to your team,
· Maintain detailed documentation of the data you’re collecting, how it’s used, where it’s stored, which employee is responsible for it, etc.
· Train your staff and implement technical and organizational security measures,
· Have Data Processing Agreement contracts in place with third parties you contract to process data for you,
· Appoint a Data Protection Officer.
There are strict new rules about what constitutes consent from a data subject to process their information.
· Consent must be “freely given, specific, informed and unambiguous.”
· Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language.”
· Data subjects can withdraw previously given consent whenever they want, and you have to honor their decision. You can’t simply change the legal basis of the processing to one of the other justifications.
· Children under 13 can only give consent with permission from their parent.
· You need to keep documentary evidence of consent.
Contrary to popular belief, not every data controller or processor needs to appoint a Data Protection Officer (DPO). There are three conditions under which you are required to appoint a DPO:
1. You are a public authority other than a court acting in a judicial capacity.
2. Your core activities require you to monitor people systematically and regularly on a large scale.
3. Your core activities are large-scale processing of special categories of data listed under Article 9 of the GDPR or data relating to criminal convictions and offenses mentioned in Article 10.
Users’ Privacy Rights
The GDPR provides for several privacy rights for data subjects, which envisages giving more control to individuals of their personal data. As an organization, it is important for you to keep these rights in mind and comply with GDPR. Rights given to data subjects are as follows:
1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling.