General Data Protection Regulation
Blog

General Data Protection Regulation

Every single action in our life revolves around data. Almost every service we use from social media, e-commerce, banking, government services involves the collection and use of personal data. Today nearly every part of life is digitized, tracked and locked like your pictures, journey and even the heartbeat. These days more and more personal information is collected, stored and traded by the companies and governments. General Data Protection Regulation (GDPR) is a digital playbook rather than of fundamental rights. It has mostly affected those businesses that overlooked their data protection responsibility. The evolution of the digital landscape has resulted in cybercriminals coming up with sophisticated tools to penetrate the Information technology world.

GDPR is a European Union Legislation. It has a huge impact on businesses outside the EU including the U.S. GDPR was introduced, as the old laws were written before smartphones collecting massive amounts of sensitive information for companies like Facebook and Google. GDPR gives organizations guidelines on what they can and can’t do with personal data. It also gives the users more clarity over the kind of data in use and how should they use it. Under the GDPR personal data includes any data that can identify an individual like the name, phone number, user name but the law also includes contents like IP address and location as personal data. Even tighter rules apply to sensitive data like sexual orientation, health data and political opinions.

The GDPR is now in effect from May 25, May 2018. This governs any data regulation activity on all European citizens. So regardless of where the business is located if you collect, store or utilize data from citizens of the EU you are subjected to these regulations. The purpose of this legislation is to create a consistent and enforceable requirement to protect the right of any EU citizens to the privacy and security of their data. Accordingly, GDPR applies to any businesses located outside and within the EU. If you have any data on EU citizens or if you email anyone with the EU, even if you are outside the European Union countries, this still applies to you. This applies to anyone who collects data such as subscriber’s data, records, organizes stores or performs any operation on data. This is the most extensive regulation on data privacy today. However, it has certainly not been the last. As more data is collected and maintained on people, companies have to be responsible and accountable for that data. This is the goal that the legislation seeks to achieve.

Any user has the right to request their data from any company that keeps or maintains records. As an organization who maintains data, you need to have a clear process for the users to request their data such as a forum or automated platform to download. Also, there should be a mechanism to identify the identity of the individuals requesting the records. A company may not modify the information or delete the information unless deletion is specifically requested by the user. Companies have one month to comply with the right to request and the information must be delivered in a readable and portable format. To protect the company and the user it is recommended that the entire right to request process is documented and noted from the request to the processing to the delivery.

This regulation applies to anyone who collects, keeps or processes data. This has an extensive reach as something as simple as segmenting the mails can be considered as processing of data. Users have the right to request and also have the right to know about the processing or the activities performed with their data. For example, what data was used to segment their target advertisement to them and how is their data used for personalization of content. Companies will also have to disclose relationships with third-party providers that will have access to the data or store the data. The user also has the right to be completely removed and deleted from records which are called the right to be forgotten or right to be erased. This can happen when personal data is no longer needed for the original purpose. Also, individuals can withdraw consent from any data processing. The only exception to this is a public interest, public welfare or any scientific or historical research.

The envisages strict rules for handling personal data of users and specifies new protocols for handling and storing personal data, and sharing it with third parties. The GDPR applies not only to the organizations located within the European Union but also outside if they offer goods or services to or monitor the behaviour of EU data subjects. GDPR has made it mandate for the organizations to conduct Data Protection Impact Assessments (DPIAs) during specific circumstances to identify, understand and address any privacy issues that might intervene in the production or undertaking of any activities that involve the processing of personal data. This assessment is undertaken before the processing of personal data covering topics like a systematic description of the processing activity and the necessity and proportionality of the operations.

Data security is an important part of GDPR compliance. Among other requirements, organizations must implement appropriate and proportionate technical and organizational measures to protect personal data. If the organization suffers a data breach reporting it is now mandatory. Data processors must report breaches of personal data to the data controllers and the data controller is required to report to the Information Commissioner’s Office within 72 hours of the discovery. If there is a risk to the rights of data subjects, they must be informed without any delay.

As an aid to cybersecurity, under the General Data Protection Regulation there is need to take up proper information security measures and the key features like confidentiality, integrity, availability and resilience of processing and services that have been a part of privacy legislation. This regulation is a great opportunity for companies to review and update their privacy policies. A privacy policy should be written for people to know. It must outline the data collected directly such as email addresses, usernames etc. also cookie policy should be outlined specifying the types of information collected, how it is used. It must also state where the user’s data is stored and processed. User rights must even be addressed with links or instructions to request their data, request to be forgotten and data portability.