The General Data Protection Regulation (GDPR) is a regulation in European Union Law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. Its primary aim is to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. The GDPR is a regulation, not a directive, and it does not require national governments to pass any enabling legislation and is directly applicable. The United Kingdom has granted royal assent to the Data Protection Act 2018 on 23rd May 2018, which contains similar protections and regulations.
What Is GDPR?
Replacing the Data Protection Directive, the GDPR contains provisions and requirements applicable to the processing of personally identifiable information of individuals inside the European Union, and is applicable to all the enterprises, regardless of location, that are doing business with the EEA. The regulation dictates that business processes that handle personal data must be built with data protection and must be stored by using pseudonymization or full anonymisation, so that personal data is not available publicly without explicit, informed consent, and cannot be used to identify a subject without additional information stored separately.
Data Protection Officer
A Data Protection Officer (DPO) is a person with expert knowledge of data protection law and practices who is appointed to assist the controller or processor or monitor internal compliance with this regulation. Similar to a compliance officer, managing IT processes, data security and other critical business security issues around the holding of personal data, are some of the tasks that are also expected to be taken care by the DPO.
GDPR Compliance
Data breaches happen inevitably. Information gets lost, stolen or otherwise released into the hands of people who were never intended to see it; and those people have malicious intent. Under the terms of GDPR, not only will organizations will have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it and compelled to protect it from misuse and exploitation.
Rights Individuals Have Under GDPR
There are few rights that have been implemented by the GDPR for the benefit of individuals. Some of them are stated below:
1. The Right to Access
This enables individuals to request access to their personal data and to ask how their data is used by the company once it has been gathered and the company must provide a copy of their personal data, even in electronic format if asked.
2. The Right to Be Forgotten
If consumers wish to withdraw their consent from a company to use their personal data, then this right gives authority to individuals to have their data deleted.
3. The Right to Data Portability
This right gives authority to individuals to transfer their data from one service provider to another. And that must happen in a commonly used and machine-readable format.
4. The Right to Be Informed
This right states that any gathering of data by companies and individuals must be informed before the data is gathered. Consent must be freely given rather than implied.
5. The Right to Have Information Corrected
This ensures that individuals can have their data updated if it is out of date, incomplete or incorrect.
6. The Right to Restrict Processing
This right ensures the individuals to restrict their data being processed. Their record will remain in place, but not be used.
7. The Right to Object
This right enables individuals to stop the processing of their data for direct marketing. There are no exemptions to this rule, and any processing must stop as soon as the request is received.
8. The Right to Be Notified
If there has been a data breach which compromises an individual’s personal data, the individual has a right to be informed within 72 hours of first having become aware of the breach.
How Can GDPR Affect Your Business?
Although GDPR is actually a European Union Law, it could have far-reaching effects beyond European borders, as US-based companies will have to comply with the new regulations while doing business within the EU. Beyond Europe, the law will apply to any business where their data processing relates to the offering of goods and services to EU-based people or the monitoring of online behaviour, including tracking used for internet-based marketing within the EU. This is quite broad in scope and will possibly affect the compliance regime of every ad tech company and their clients worldwide. Few more points on how the GDPR is likely to change the workings of businesses are:
- Companies will focus on building trust and a higher level of service to support GDPR demands.
- A company must receive consent from customers before they can use the latter’s data.
- A company must inform its users when there is a security breach that affects their data.
- A company must give their costumers the right to erase their personal data the company has of them.
- Customers must have access to the data the company has collected and also the right to give their data to another company.
- A company must protect the interest of their costumers, especially if the data is on health, race, religion, political alignment and sexual orientation.
- A company must give their costumers the right to opt out of company’s research and marketing.
- Cyber insurance companies are set to grow to protect the business against GDPR fines.
- A company must make legal arrangements when moving data to countries that are outside of the EU or have not been approved by EU authorities.
GDPR Fines/Penalties
National authorities can assess fines for specific data protection violations in accordance with the GDPR. The fines must be effective, reasonable and dissuasive for each individual case. The authorities have a statutory catalogue of criteria which must be used in taking a decision of whether and what amount of sanctions can be assessed. For the especially severe violations, the fine framework can be up to 20 million euros, or, in the case of a company, up to 4% of their total global turnover in the previous fiscal year, whichever is higher. But even the catalogue of less severe violations sets forth fines of up to 10 million euros, or, in the case of a company, up to 2% of its entire global turnover of the previous fiscal year, whichever is higher.
