General Data Protection Regulation (GDPR) is a draft that is finalized by European Union and was published in the official journal on 4 May 2016. This regulation will apply in all the Members States from 25 May 2018.
The main objective of GDPR is to harmonize data protection law across European Union. This will help the citizens to regain their control on their personal data.
Personal data is that information through which an individual can be identified either by the identifier’s name, address, and phone number or by some specific factors such as the identifiers physical, mental, cultural, genetic and social identity.
Also, GDPR includes a sensitive personal data category which is a separate category and includes personal data that revels race or ethnic origin, religious beliefs, political opinion, trade or union membership, processing of genetic data, persons biometric data and data concerning health.
The principles relating to Personal data processing are, the personal data must be collected only for specific and explicit purposes and the personal data must be processed fairly and in a transparent manner.
The regulation clearly states that the personal data includes anything from which a subject could be identified online. For example, IDs of mobile devices or IP address. This will impact the online business especially advertising industry as all the unique identifiers will be protected by the EU law.
As a practical example, let us consider an organization that acts as reinsurer, that is, it functions as a service provider to insurance companies. This organization usually collects abundant personal data of the people insured. This data cannot be used by them for any other purpose. If they need to use any personal data, they need to take consent of the concerned subject.
The new GDPR has extended its scope to all the foreign countries that process the data of people belonging to the European Union. That is if an organization is based outside the European Union, but it processes the personal data of the people residing in the European Union, then the GDPR applies to that organization.
GDPR also applies to ‘controllers’ and ‘processors’ that are processing the personal data within the European Union, and only to ‘controllers’ outside European Union, that monitors data and offers services to subjects within European Union. (A controller is a person who determines the reason and the method of processing the personal data and a processor is a person who works on the behalf of the controller).
The organizations that was outside the scope of the application of the EU law of data protection, will come directly under its implications. This will be very advantageous as the controllers and the processors that are not under the scope of UN but still collect and process data of EU residents through cookies and other activities might be caught by the scope of the GDPR.
According to the GDPR, the consent must be,
- Unambiguous, if the data is ordinary and non-sensitive.
- Explicit, if the data is very personal and sensitive.
As such there is no difference between the two types of consent and the GDPR clearly states that even for an unambiguous consent, it is necessary that the consent is given affirmatively.
For example, when a subject visits a website that is conducting some online competition, to participate there, the subject is first supposed to fill an entry form that compulsorily requires his or her name and address. Providing email ID is optional and it says that if you wish to receive information about products, then enter your email ID. The subject enters the Email ID.
Here we cannot say that the subject gave explicit consent as any form of legal and binding consent was not given, but an unambiguous consent was give as it was given through an affirmative act.
Rights Of Data Subjects
This outlines general principles that strengthens the rights of data subjects.
1. Information Rights:
The data controller is required to provide the data subject, transparent and authentic information about the identity and contact information of the controller and its representatives, identity of the data protection officer, the purposes of the processing the intended data and the recipients of personal data. If the controller wants to transfer the data to third country, then the controller must first take permission from the subject.
2. The right of access:
This right allows the data subjects to ask questions to the controller, whether their personal data are being processed or not. If yes, then the controller needs to provide the following information;
- The purpose of processing.
- The period for which the data will be stored.
- The recipients to whom the data has been disclosed.
- The right to lodge a complaint with supervisory authority.
This will be an important change for those countries, where the data controllers charge fees to provide access to any data as according to the right to access, they will have to provide the information without charging anything.
3. Right to Rectification:
This gives right to the subject to obtain rectification of their personal data from the controller if the data is inaccurate or incomplete.
4. Right to Erasure:
The subject can ask the controller to erase his or her personal data on the basis of any one of the following reasons;
- The collected data is no longer necessary.
- The data subject wants to take the given consent back.
- The data subject does not want the data to be processed.
- The data has been processed unlawfully.
5. Right to Restriction of Processing:
The subject has right to restrict or suppress the processing of the personal data when, the subject has doubt on the accuracy of the data and the personal data of the subject is no longer needed by the controller for processing, but is required by the subject for matters relating to legal claims.
It may sometimes happen that even when the data is restricted by the data subject, processing of data may take place for the protection of rights of another subject or public interest. In this case the controller must inform the subject beforehand.
6. Right to data portability:
In the Right to data portability, the right that subjects have over their data have been strengthened. It says that a subject has a right to transfers his or her data from one controller to another, without any hindrance from the first controller. This data must be provided in a machine readable format by the original controller.
7. Right to object:
A subject can object to the processing of his or her personal data when there is need to protect the subject’s vital interests or public interest. Also, if a subject’s personal data is being processed for marketing purpose, he or she can object to it.
8. Automated individual decision-making, including profiling:
If any decision is based solely on automated processing, including profiling, the data subject has right not to be a subject to that decision, as this can produce legal effects affecting him or her.
Profiling is a form of automated processing that evaluates certain aspects of an individual in order to analyze or predict their performance at work, health, personal preferences, behavior and location.
With all the new rights that are introduced, all the organizations and the businesses will have to update their privacy policies so that all the terms and regulations are properly met. They must be aware of all the implications that may result from violating the rules.
Also, the companies must make sure that the profiling activities carried out by them are lawful, and don’t result into violation of any individual right. The best way in which they can do this is by using techniques like pseudonymization and data minimization. These techniques will help in maintaining the privacy of the data subjects.
Not following these regulations or rules is a punishable offence and fine upto EUR 20,000,000, or up to 4% of the total annual turnover (whichever is higher) may be charged.
Controllers And Processors:
1. Responsibility of a controller and a Processor:
The controller needs to adopt policies and implement measures to make sure that the data processing is performed in accordance with the General Data Protection Regulation (GDPR).
A processor can process personal data of a subject only after receiving instructions from the controller, unless required by Union or member State Law.
For example, if a subject uses his or her mobile ID to login into any online services, the network operator will be the controller.
2. Data Security:
The processor and the controller will have to implement measures that will guarantee a level of security. These measures include, the ability to ensure the integrity, confidentiality, flexibility, availability and toughness of the system and services that process the personal data and in case of incident whether technical or physical, the access and availability of the personal data must be restored in time.
3. Data Protection Officer:
A Data Protection Officer is appointed by the controller and the processor under some specific circumstances. The data protection officer must have expert knowledge of data protection law. The duties that a Data Protection Officer has to perform are;
- Advising and informing the processor and the controller of their obligations in accordance with the GDRP.
- Monitoring all documentation as required by the regulation, monitoring the implementation and performance of data protection policies in accordance with this regulation.
- To provide assistance with regard to data protection impact assessments.
- Cooperating with the supervisory authority and acting as a contact point for the supervisory authority.
As all the big companies will require a DPO, especially those companies where the core activities are profiling, processing data of special category and where the data processing is quite complex and on a large scale, there might be shortage of resourceful and efficient DPO’s. So these companies must start taking action now, and must either recruit or train DPO’s or a DPO team.
Transfer Of Data To Third Country
- The transfer of personal data outside the European Union is restricted so that the level of protection of subjects by GDPR is ensured.
- The transfer of personal data to a third country or any other international organization can take place only if certain condition are met. These conditions are, Transfers on the basis of an Adequacy Decision, Transfers subject to appropriate safeguards and transfers that are in accordance with the Binding corporate rules.
Transfer of data from one country to another country is allowed only when there is adequate level of protection like the public security and national security and the controller and the processor has provided all the conditions that will be met during the transfer of data.
If these conditions to transfer data are not met, then administrative fine upto EUR 20,000,000, or up to 4% of the total annual turnover (whichever is higher) is imposed.
Each member state will provide one or more independent public authorities that will be responsible for monitoring the application of GDPR. These supervisory authorities will have various types of powers under them.
- A supervisory authority will be able to carry out audits of the controllers and the processors for data protection.
- A supervisory authority has power to issue warnings, impose ban and issue administrative fines if rules are violated.
(Disclaimer: This is a guest post submitted on Techstory by the mentioned author. All the contents and images in the article have been provided to Techstory by the authors of the article. Techstory is not responsible or liable for any content in this article.)
Image Source: medium.com
Nikunj Thakkar is the Founder and CEO of DataOne Innovation Labs. DataOne is a Business Solutions company with a strong focus on Business Intelligence; Big Data Analytics; Data Processing and Management; Product Development; Machine Learning and Natural Language Processing; and IoT Implementations. Reach out to him at [email protected], Facebook , LinkedIn or Twitter.