Listen to Article
Data Protection Law Deconstructed: A Complete GDPR Summary
GDPR is not the same old wine in a new bottle. It is a revolutionary new law that requires organisations to do more than just tick and untick some boxes. It requires them to make enterprise-wide changes and completely transform their business operations.
Also, the cost of negligence can be very high. So, organisations need to make sure that they are on the right side of GDPR.
Here is a quick GDPR summary to understand the workings of this new regulation and discover whether your organisation is GDPR compliant or not.
Need of the Hour
Data protection is a critical concern for everyone from governments to corporations to individuals today. And rightly so. As the use and misuse of data become more prevalent, the gaping holes in the existing data protection laws have come to the fore. Governments across the world are going back to the drawing board to make amends and create laws that address the modern data privacy concerns and not those of a decade ago. European Union’s General Data Protection Regulation (GDPR) is a milestone in that direction. It replaces previous data protection laws in the EU states like the UK’s 20-year old Data Protection Act (DPA).
GDPR 2018 is a unified data protection law for all the people living within the European Union, which also expands oversight to data that is exported out of the EU geography.
This GDPR summary will hit all the basics and then build upwards.
Which Data Is Covered Under GDPR?
Under GDPR, any data that is specific enough to identify a natural person is classified as personal. It doesn’t matter whether that data is collected by direct or indirect reporting, it can be in any format, and processed in any way.
What does that mean?
Companies should be ready for more stringent controls over personal data. The list of personal data includes the name, address, email address, photograph, IP address, GPS data, cookies, and analytics data. Apart from these, there are special categories of data like race, religion, political views, membership to labour unions, sexual orientation, and health information. In the light of the modern developments, biometric data and genetic data has also been added to the category of special categories of personal data.
Consumers Get a Lot of Power
Consumer data protection is the primary goal of GDPR. No wonder, under this law the consumer becomes significantly more empowered. GDPR plugs a large number of loopholes in the previous set of rules, and consequently, organisations find it more difficult to obtain and process data without the knowledge of the consumer. This GDPR summary covers the broad strokes of what rights the consumers have under GDPR.
Stricter Rules for Consent
They have become stricter. Organisations need to be more careful while crafting their consent forms. For GDPR compliance, they need to show evidence of consent to collect and use the personal data of any individual. This quick GDPR summary covers what kind of consent forms are acceptable.
Clarity of Purpose
GDPR is very particular about the kind of consent the organisations want their employees, customers, and other partners to sign. It demands that the consent forms be written in plain language that makes sense to the individuals signing it. The signatory should be clearly informed about the extent of the consent they are granting. There should be no ambiguity. The purpose of the data collection and processing should be specifically stated, and the consent should be freely given.
Up until now, the silence of the individual was treated as consent. Not anymore. Under GDPR, already ticked boxes, inability to say no, or any inactivity does not qualify as consent. The data subject has to provide active consent to use the information provided by them for organisations to be able to use and process it.
Also, children under the age of 13 years do not have the power to give their consent. Their consent is considered valid only if parental consent accompanies it.
Power to Withdraw
GDPR gives data subjects the right to withdraw their consent at any time. Without the consent, organisations cannot use the data of such individuals for any processing.
Better Control over How Data is processed
Individuals residing in the EU states are definitely going to enjoy a lot more control over who collects their data and how they process it. This GDPR summary discusses how the rights of the EU residents are all set to experience a significant boost after May.
Under GDPR, data subjects can put up a request to the controller to understand why their data is being processed and how it is being processed. They can also ask the controller of the data for a copy of the data being processed. However, the controller does have the right to charge a fee to cover the administrative costs incurred in this process.
EU residents also have the right to object to the data processing and report it to the supervisory authority. They can even get any and all inaccurate data corrected.
GDPR goes one step further to give the EU residents the right to have their data erased by the data collector and processor. The data controller has to oblige to such a request for deletion of personal data. This has been termed in the Article 15 of GDPR as the ‘right to be forgotten’. It is possible that the controller receives an erasure request for data that has already been made public. In such a case, the controller has to undertake all the necessary measures, including technological, to inform the other data processors about the erasure request.
GDPR wants to put the EU residents in the driver’s seat and make them the master of their privacy. With GDPR, they not only get to decide which service provider gets to collect that data but also who gets to store it. So much so that they can place a request to move their data from one service provider to another.
Which Organisations Come Under Its Purview?
One of the most profound impacts of GDPR is the extension in the instances that come under its purview.
Of course, all organisations that operate within the EU are required to comply with the new regulation. Whether it is a profit-making business, a non-profit charity, or a public authority, if they are collecting the personal data of people residing in the EU, they are covered under GDPR. So, it is not just the citizens, GDPR safeguards the data of everyone residing in the EU.
Organizations that do not operate within the EU, but do collect, store, or process the data of the EU residents, also come under GDPR. Even third-party organisations that work for companies offering goods and services to EU residents come under the purview of GDPR.
That is a large group of industries and businesses that are affected by GDPR, and that is why it has created so many ripples across the business world.
What Principles Do These Organisations Have to Follow?
GDPR lists 6 data protection principles in Article 5. All the organisations within the EU or those outside of the EU that deal with the personal data of EU residents are required to process the personal data according to these 6 GDPR data protection principles.
Principle 1: Fair & Legal Practice
GDPR requires organisations to collect and process data in a lawful, fair and transparent fashion. They have to build systems and create processes that ensure this.
Principle 2: Limitation of Purpose
Data should be collected only for a specific, explicit and legitimate purpose. The organisations are required to state why they are collecting the data and how they intend to process it. If they are using the data later, it should be compatible with those stated purposes.
Principle 3: Data minimisation
The purpose of data collection stated by the organisation governs the need and relevance of the data collected.
Principle 4: Maintaining Accuracy
Organizations are responsible for maintaining the accuracy of data collected by them. They are also required to erase the data of questionable accuracy or update it without any undue delay.
Principle 5: Limit Storage
Data that allows a data subject to be identified should be stored for as long as it serves its intended purpose and is necessary.
Principle 6: Secure the Data
Data should be collected, stored and processed in a manner that ensures its security. It is the organisation’s responsibility to take all organisation-wide and technical measures to maintain the integrity of the data against damage, accidental loss, theft, and other such mishaps.
How Can the Organisations Prepare?
GDPR has not been created to bring down organisations collecting and processing data. However, it has been put in place to make sure that they handle such data more responsibly and transparently. The GDPR fines and the backlash for not following through are quite high, which are covered later in this GDPR summary. But, here are some ways in which organisations can safeguard themselves.
Organizations should use better and more secure methods to safeguard their user data stored on-premises as well as on the cloud. Encryption can be used to secure servers, storage, media, and networks. Strong key management and verification of identities for access to data are other steps that can be taken to improve security and GDPR compliance.
This is important because if data thieves attack the organisations, then they can save themselves hefty fines by proving that they had taken all the necessary precautions to secure the data.
As the consumers can place requests for accessing, editing, or erasing of their data, it is essential for organisations to ensure proper records are in place. GDPR compliance not only requires that the organisations keep the data secure, but also produce it without ‘undue delay’ when asked to do so. Therefore, organisations must have proper records, so that they can track the data movement and its processing.
Creating Flexible Systems
As has already been stated in this GDPR summary, organizations under GDPR have to change the data or even delete it, on request. This means that the organisations have to inject a high degree of flexibility into their systems to manage data in the future. They might need to edit the data or even delete it entirely from their systems. So, organisations need enterprise-wide software solutions which offer that kind of flexibility.
Organizations should ensure that they have updated consent for all the data they are storing and processing. The GDPR summary has already touched upon what consent forms should look like in the GDPR era. If they do not have the required consent, then they should have a strategy in place to request, record, and refresh the consent of their data subjects.
“GDPR not only asks organizations to offer their consumers a better data privacy environment, but also offers them the processes that need to be put in place that would ensure compliance. This GDPR summary covers the cliff notes on those compliance requirements.“
Ensuring Encryption of Data
All entities that collect, store and process data are responsible for its security as well. For GDPR compliance, they have to take reasonable ‘organisational and technical measures’ to ensure the integrity of the data they are handling. They can use data encryption, better security software, and follow more such safety protocols to make sure that the data remains inaccessible to unauthorised personnel or entities.
GDPR data protection laws also require organizations that transfer the personal data of individuals outside of the EU to put proper safeguards in place before doing so.
Organizations have to create systems that allow them to report data breaches, loss of data, or any other data damage to the regulator. They have to take action within 72 hours of the incidents. They also have to create processes that ensure that the individuals affected by these breaches are informed about the breaches within the same time frame.
Data Protection Impact Assessment
Organizations which process data that “is likely to result in a high risk to the rights and freedoms of natural persons” is mandated to conduct a Data Protection Impact Assessment. These include organisations that extensively analyse personal data which may have legal or other significant implications, organisations that participate in the large-scale monitoring of public areas, and so on.
Data Protection Officer
Again, a Data Protection Officer (DPO) has to be appointed in special cases where the organisation is a public authority or is involved in processing high-risk data or deals with data for special categories. A DPO is then entrusted with the task to keep the organisation informed of its obligations under GDPR, oversee compliance, and act as a point of contact for data protection agencies.
What Happens If Organisations Do Not Comply?
GDPR is a big step towards strengthening data privacy. To ascertain that GDPR meets its intended objectives, it is essential that there is a strong deterrent for non-compliance. And deterrent it is! This GDPR summary captures how the policymakers have ensured that the cost of noncompliance with the new data privacy law is prohibitively high.
The organisations that do not comply with GDPR guidelines deliberately or due to negligence can end up paying GDPR fines as high as €20 million or 4% of the global turnover of the organisation, whichever is higher.
GDPR also mandates that if an individual has suffered loss due to the infringement of the regulation, then they can receive compensation from the data controller. This means added legal costs for the organisation, which can further run into millions, depending on the extent of the loss to the individual in question.
Loss of Brand Value
It is never right for an organisation to be involved in a data breach. There is a significant loss of customer trust which the company has amassed over years of operations and after spending thousands or millions of dollars in marketing. After being penalised for flouting a regulation, it will also become difficult for the organisation to acquire new customers as well. That is another added cost.
What is GDPR? It is a data protection regulation that sets a precedent for data privacy laws across the globe. After all, it is one of the most stringent and far-reaching data protection laws in the world. To comply with such a strict law, organisations have to unlearn old data practices to save themselves from hefty fines and customer loss.
After what you have read in this short GDPR summary, do you think organisations will ever be able to fully comply with GDPR? Or is the law impractical considering the way technology is progressing?