A bibliophile and technology enthusiast with a previous career in IT.
What is GDPR?
The General Data Protection Regulation (GDPR) represents an overhaul of the Data Protection Directive (DPD) that was in force in Europe since 1995. The European Union (EU) has been at the forefront of safeguarding the rights of its citizens and GDPR is seen as an essential step in a situation where the internet does not provide clarity on how personal data is used.
GDPR is described in 99 articles and represents a radical change in the approach to handling personal data of EU citizens. Salient points include:
- It is a regulation instead of a directive – this makes it mandatory across the EU and improves enforceability.
- It expands on the definition of personal data to include any identifiable information regarding a person – moving beyond the realm of name, id, bank account number to include location information and social identifiers (the concept of “like” on social media etc)
- It requires explicit consent for using of data based on unambiguous requests with explicit responses. Situations where the data is required to fulfill contractual obligations, or to fulfill legitimate interests of the data user (example, a bank requires personal information to complete transactions) are not subject to the explicit consent rule.
- It defines data subject rights to be provided clarity on who is using the personal data and for what purpose. Also, to request for and receive the data being used as well as the right to delete all data and revoke previously provided consent. Remedial rights of the data subject against all other parties (both the processor and supervisory authorities) are also defined.
- The roles of controller and processor are defined, with the controller having control of the treatment of data, and the processor working under the instruction of the controller. Where large scale data processing is involved, both the controller and processor have to implement the role of a Data Protection Officer (DPO) who has oversight responsibility and serves as the interface point to EU supervisory authorities. Also, both have liabilities in case of non-compliance.
- Transfer of personal data to partners (including partners outside the EU) is allowed, subject to enforceability of all articles of GDPR and in accordance with international data transfer treaties. The controller initiating the transfer retains obligations with respect to GDPR.
- Data breaches that pose a risk to “personal rights and freedom” are to be notified to the authorities within 72 hours and to the data subject without undue delay.
- The role of country supervisory bodies and the European Data Protection Board are defined.
- Specific data processing situations (ie) exceptions allowed to the rules are defined.
- The procedure for fines and penalties is defined, with a cap of 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
What does it mean for the casual internet user?
One has come across updated terms of services and banners on various websites - media, shopping, search etc. These have to do with the service companies updating their ways of interacting with customers in order to comply with GDPR. Most internet service companies have an intent to provide the same services across the globe, however, they are retaining options to provide an EU variant and a non-EU variant of their services.
As an EU citizen, a user shall have the right to receive unambiguous information before signing up for a service - not complicated legalese running into multiple pages that cannot be understood. The user can expect to understand who are the different parties using personal data provided and how they use it. The user can explicitly provide or reject consent to specific parties.
The user is also entitled to receive a download of the personal information that the service provide has accumulated and ask to be forgotten (ie) request a data deletion. Further, the user can complain and seek recompense from the authorities in case of issues.
The service provider is obligated to inform the user about any significantly risky data breaches in a reasonable time frame.
What does it mean for a service provider with EU based customers?
The service provider has to upgrade the consent mechanism for users to provide information about intent of usage as well as details of any partners/third parties who would have access to the users personal data, including how they use it. The consent mechanism should allow the user to accept or reject the usage on a per-vendor basis.
The service provider is also required to provide evidence of how the data is secured as well as logs of how it is used, to demonstrate that the usage is in sync with the defined intent.
A data protection impact assessment is required to assess the risks associated with new data processing scenarios.
The service provider has obligations to report breaches that are high risk to the supervisory authorities within 72 hours and to users within a reasonable time-frame.
For organizations involved heavily in personal data processing, a Data Protection Officer is to be defined whose role and responsibilities are defined by GDPR.
When does this happen?
The EU had declared in 2016 that the target date for GDPR enforcement would start from 25 May 2018. As a result, service providers and other processors of data who target customers in the EU have been preparing for GDPR over a period of two years and have devised means of being compliant to the regulation.
From that date onwards, it would be a period where supervisory authorities in the EU inspect any personal data usage scenario that is non-compliant to GDPR and ask for updates and/or impose penalties. Users would also be able to seek information and complain if they are not adequately satisfied by responses.
It would be a period of watching and continuous improvement for the different service providers as any records of non-compliance are published.
Overall, the situation would bring back control on personal data to its source where the individual can choose to accept or deny how service providers and their partners use data.
GDPR is a big deal
GDPR potentially overhauls the way internet based companies process personal data, making them more accountable for their processes and provides control to the end user to decide what personal data is used and how. It marks a major milestone in the history of the internet and touches far more organizations and industries than is apparent.
While it is applicable to EU citizens, the nature of the internet is poised to change all over the world. And it is only a matter of time before other regulatory bodies demand parity with the EU regulation.
The quantum of penalties have drawn attention world-wide - however, the numbers listed are the potential maximum, not necessarily applicable to every type of infringement.
The internet awaits the dawn of the GDPR era, specifically to understand the position of the supervisory agencies and to get a view of the level of enforcement, whether there will be any leeway. On the other hand, some internet activists in EU are preparing for raising complaints once the GDPR regime gets underway.
Time will tell whether we are actually at a point where the internet changes forever as has been predicted by many industry analysts.
© 2018 Saisree Subramanian