Data protection law deconstructed: a complete summary of GDPR
The General Data Protection Regulation (GDPR) is a revolutionary new law that requires organisations to do more than just tick and untick some boxes. It needs them to make enterprise-wide changes and ultimately transform their business operations. Also, the cost of negligence can be very high and non-compliance can result in hefty fines of up to 20 million Euros or 4% of annual turnover (whichever is higher). So, organisations need to make sure that they are on the right side of GDPR. Here is a quick summary to help you understand the workings of this new regulation and discover whether your organisation is GDPR compliant or not.
The need of the hour
Data protection is a critical concern for everyone from governments to corporations to individuals today. And rightly so. As the use and misuse of personal data become more prevalent, the gaping holes in the existing data protection laws have come to the fore. Governments across the world are going back to the drawing board to make amends and create laws that address modern data privacy concerns and not those of a decade ago. European Union’s General Data Protection Regulation (GDPR) is a milestone in that direction. It replaces previous data protection laws in the EU states like the UK’s 20-year old Data Protection Act (DPA).
GDPR is a unified data protection law for all the people living within the European Union, which also expands oversight to data that is transferred out of the EU. This GDPR summary will highlight the fundamentals and then expand these in more detail.
What data is covered under GDPR?
General Data Protection Regulation (GDPR) explicitly states any data that identifies a natural person is classified as personal data. It doesn’t matter whether that data is collected by direct or indirect reporting; it can be in any format and processed in any way.
Companies should be ready for more stringent controls over personal data. The list of personal data includes the name, address, email address, photograph, IP address, GPS data, cookies, and analytics data. Other than that, there are special categories of data like race, religion, political views, membership to labour unions, sexual orientation, and health information. In light of the modern developments, biometric data and genetic data are now added in the special categories of personal data.
Consumers get a lot of power
Consumer data protection is the primary goal of GDPR. However, under this law, the consumer becomes significantly more empowered. GDPR eliminates a large number of loopholes in the previous set of rules. Consequently, without the knowledge of the consumer, organisations find it more difficult to obtain and process data. This GDPR summary covers, what rights the consumers have under GDPR.
Stricter rules for consent
They have become stricter. Organisations need to be more careful while crafting their consent forms. For GDPR compliance, they need to show evidence of consent to collect and use the personal data of any individual. This quick GDPR summary covers what kind of consent forms are acceptable.
✓ Clarity of purpose
GDPR is very particular about the type of consent the organisations want their employees, customers, and other partners to sign. It demands that the consent forms be written in plain language that makes sense to the individuals signing it. The signatory should be informed about the extent of the consent they are granting. There should be no ambiguity. The purpose of the data collection and processing should be explicitly stated, and the consent should be freely given.
✓ Active consent
Up until now, the silence of the individual was treated as consent. Not anymore. Under GDPR, already ticked boxes, inability to say no, or any inactivity does not qualify as consent. The data subject has to provide active consent to use the information provided by them for organisations to be able to use and process it.
Also, children under the age of 13 years do not have the power to give their consent. Their consent can be valid only if parental consent accompanies it.
✓ Power to withdraw
GDPR gives data subjects the right to withdraw their consent at any time. Without consent, organisations cannot use the data of such individuals for any processing.
Better control over how data is processed
Residents of the EU states are going to enjoy a lot more control over who collects their data and how they process it. This GDPR summary indicates how the rights of the EU residents are all set to experience a significant boost by the implementation of the General Data Protection Regulation (GDPR).
✓ Improved access
Under GDPR, data subjects can put up a request to the controller to understand why their data is being processed and how it is being processed. They can also ask the controller of the data for a copy of the data being processed. However, the controller does have the right to charge a fee to cover the administrative costs incurred in this process.
✓ Exercising objection
EU residents also have the right to object to the data processing and report it to the supervisory authority. They can even get any inaccurate data corrected.
GDPR goes one step further to give the EU residents the right to have their data erased by the data collector and processor. The data controller has to oblige such a request for the deletion of personal data. This has been termed in the Article 15 of GDPR as the ‘right to be forgotten’. It is possible that the controller receives an erasure request for data that has already been made public. In such a case, the controller has to undertake all the necessary measures, including technological, to inform the other data processors about the erasure request.
✓ Data portability
GDPR wants to make EU residents masters of their privacy. Under GDPR, they decide which service provider gets to collect that data and who gets to store it. So much so that they can place a request to move their data from one service provider to another.
Which organisations come under their purview?
One of the most profound impacts of GDPR is the extension in the instances that come under its purview. Of course, all organisations that operate within the EU are required to comply with the new regulation. Whether it is a profit-making business, a non-profit charity, or a public authority, if they are collecting the personal data of people residing in the EU, they are covered under GDPR. So, it is not just the citizens, GDPR safeguards the data of everyone residing in the EU.
Organisations that do not operate within the EU, but do collect, store, or process the data of the EU residents, also come under GDPR. Even third-party organisations that work for companies offering goods and services to EU residents come under the purview of GDPR. That is a large group of industries and businesses that are affected by GDPR, and that is why it has created so many ripples across the business world.
What principles do these organisations have to follow?
General Data Protection Regulation (GDPR) has enlisted 6 data protection principles in Article 5. All the organisations within the EU or those outside of the EU that deal with the personal data of EU residents are required to process the personal data according to these 6 GDPR data protection principles.
✓ Principle 1: Fair & Legal Practice
GDPR requires organisations to collect and process data in a lawful, fair and transparent fashion. They have to build systems and create processes that ensure this.
✓ Principle 2: Limitation of Purpose
Data should be collected only for a specific, explicit and legitimate purpose. The organisations are required to state why they are receiving the data and how they intend to process it. If they are using the data later, it should be compatible with those stated purposes.
✓ Principle 3: Data minimisation
The reason for the data collection stated by the organisation specifies the need and relevance of the data collected.
✓ Principle 4: Maintaining Accuracy
Organisations are responsible for maintaining the accuracy of the data collected by them. They are also required to erase the data of questionable accuracy or update it without any undue delay.
✓ Principle 5: Limit Storage
Data that allows a data subject to be identified should be stored for as long as it serves its intended purpose and is necessary.
✓ Principle 6: Secure the Data
Data should be collected, stored and processed in a manner that ensures its security. It is the organisation’s responsibility to take all organisation-wide and technical measures to maintain the integrity of the data against damage, accidental loss, theft, and other such mishaps.
How can the organisations ensure compliance with GDPR?
General Data Protection Regulation (GDPR) has not been created to bring down organisations collecting and processing data. However, it has been put in place to make sure that they handle such data more responsibly and transparently. The GDPR penalties and the backlash for not following through are huge, which are covered later in this GDPR summary. But, here are some ways in which organisations can safeguard themselves.
✓ Review Security
Organisations should use better and more secure methods to safeguard their user data stored on-premises as well as on the cloud. Encryption can be used to secure servers, storage, media, and networks. Strong key management and verification of identities for access to data are other steps that can be taken to improve security and GDPR compliance.
This is important because if data thieves attack the organisations, then they can save themselves hefty fines by proving that they had taken all the necessary precautions to secure the data.
✓ Record Keeping
As the consumers can place requests for accessing, editing, or erasing of their data, it is essential for organisations to ensure proper records are in place. GDPR compliance not only requires that the organisations keep the data secure, but also produce it without ‘undue delay’ when asked to do so. Therefore, organisations must keep proper records to track the data movement and its processing.
✓ Creating Flexible Systems
As has already been stated in this GDPR summary, organisations under GDPR have to change the data or even delete it, on request. This means that the organisations must bring and retain a high degree of flexibility into their systems to manage data in the future. They might need to edit the data or even delete it entirely from their systems. So, organisations need enterprise-wide software solutions which offer that kind of flexibility.
✓ Updated Consents
Organisations should ensure that they have updated consent for all the data they are storing and processing. The GDPR summary has already mentioned how consent forms should look like. If they do not have the required consent, then they should have a strategy in place to request, record, and refresh the consent of their data subjects.
“GDPR not only asks organisations to offer their consumers a better data privacy environment but also offers them the processes that need to be put in place that would ensure compliance. This GDPR summary must cover the cliff notes on the compliance requirements.“
✓ Ensuring Encryption of Data
All entities that collect, store and process data are responsible for its security as well. For GDPR compliance, reasonable, organisational and technical measures must be taken to ensure the integrity of the data they are handling. They can use data encryption, better security software, and follow more such safety protocols to make sure that the data remains inaccessible to unauthorized personnel or entities.
GDPR data protection laws also require organisations that transfer the personal data of individuals outside of the EU to put proper safeguards in place before doing so. To instantly report data breaches, loss of data, or any other data damage to the regulator, organisations have to create systems. They have to take action within 72 hours of the incidents. They also have to create processes that ensure that the individuals affected by these breaches are informed about the breaches within the same time frame.
✓ Data Protection Impact Assessment (DPIA)
Organisations which process data that “is likely to result in a high risk to the rights and freedoms of natural persons” is mandated to conduct a Data Protection Impact Assessment (DPIA). These include organisations that extensively analyse personal data which may have legal or other significant implications, organisations that participate in the large-scale monitoring of public areas, and so on.
✓ Data Protection Officer (DPO)
Again, a Data Protection Officer (DPO) has to be appointed in special cases where the organisation is a public authority or is involved in processing high-risk data or deals with data for special categories. A DPO is then entrusted with the task to keep the organisation informed of its obligations under GDPR, oversee compliance, and act as a point of contact for data protection agencies.
The General Data Protection Regulation (GDPR) is a set of regulations applicable to the European Union. This law provides a framework for data protection and privacy in the European Union and the European Economic Area.
This framework provides an outline of 7 key principles on the provision of privacy and data security in the digital nuanced world. According to the GDPR, all individuals have a right to decide whether they want to share their information with another business or not. The information may range from the basic contact details, medical and criminal history, sexual and gender-based information as well as any genetic, or behavioural data. There may be the use of such sensitive data in today’s market and product research.
It also looks over the processing, transfer and exchange of personal data outside the EU and EEA areas.
- the collection, organisation, structuring, storage of data
- the alteration, consultation, use, communication, a combination of data
- and the restriction, erasure or destruction of personal data.
The GDPR is based on seven key principles for processing data lawfully. The safeguarding of the 7 principles is essential for the lawful processing of personal data.
What happens if organisations do not comply?
General Data Protection Regulation (GDPR) is a big step towards strengthening data privacy. To ascertain that GDPR meets its intended objectives, it is essential that there is a strong deterrent to non-compliance. And the deterrent it is! This GDPR summary captures how the policymakers have ensured that the cost of non-compliance with the new data privacy law is prohibitively high.
✓ Financial Loss
The organisations that do not comply with GDPR guidelines deliberately or due to negligence can end up paying GDPR fines as high as €20 million or 4% of the global turnover of the organisation, whichever is higher.
Under the GDPR obligations, if an individual faces a data loss due to the infringement of the regulation, then compensation will be provided by the data controller. This means added legal costs for the organisation, which can further run into millions, depending on the extent of the loss to the individual in question.
✓ Loss of brand value
It is never right for an organisation to be involved in a data breach. There is a significant loss of customer trust which the company has amassed over years of operations and after spending thousands or millions of dollars in marketing. After being penalized for flouting a regulation, it will also become difficult for the organisation to acquire new customers as well. That is another added cost.
General Data Protection Regulation (GDPR) is a data protection regulation that sets a precedent for data privacy laws across the globe. After all, it is one of the most stringent and far-reaching data protection laws in the world. To comply with such a strict law, organisations have to unlearn old data practices to save themselves from hefty fines, loss of reputation and business.
In the wake of what you have read in this short GDPR summary, do you think organisations will ever be able to comply with GDPR fully? Or is the law impractical considering the way technology is progressing?