Advanced Guide to The General Data Protection Regulation (GDPR)
“Data protection used to be a cause of concern for every country in Europe leading to a remarkable difference. From now on, the situation is expected to change because a unique law that applies equally to each EU member state is coming”.
GDPR – yet another abbreviation to memorize by every other company doing business in Europe. GDPR stands for General Data Protection Regulation, which is a new set of guidelines created by EU, replacing various other data management and data protection laws around Europe. Current GDPR implementation will replace the Data Protection Directive 95/46/EC of 1995 and is supposed to affect Data Protection Act 1998 in the UK as well as the current Freedom of Information Act 2000 (FOIA).
Current Challenges in Personal Data Protection
The landscape of data privacy threats is evolving at a greater speed forcing organizations to face the bitter reality of carrying significant risks, stronger enforcement and the increasing urgency to face the obstacles in managing and protecting personal data. Due to the increased number of data breaches, and the way they are made public further aggravate these challenges. One of the major challenges faced by many organizations is to cope up with the data protection rules, regulations, policies, and processes that imbricate with the current set of organizational, business and technology issues.
Here are some of the challenges faced by personal data protection:
- Might be due to the lack of awareness of the legal and financial consequences, but organizations lack discernment for security
- NO standard data protection protocol within the organizations leading to no control over compliance security policies.
- Business owners lack the interest to take ownership or accountability of personal data.
- A huge amount of data generated and unwillingness or incompetence to analyze and subdue unwanted data.
- IT trends like cloud, mobility and virtualization increase the complexity of business-critical systems and drives up the costs to locate, classify and protect information.
- About 36% business-critical applications are already in the cloud and the statistics claim that concerned IT departments are not aware about half of them.
The Need to Implement GDPR :
The General Data Protection Regulation is an effort to update data protection for the 21st century, wherein people grant permissions to share their personal information across various online platforms in exchange for ‘free services’. The revised EU data protection framework was finally adopted after about four years, on 8 April 2016. The GDPR will replace the current Directive and will be directly applicable in all Member States without the need for implementing national legislation. It will take effect on 25 May 2018. The law is applicable not only to the European organization using personal data but will be applicable to the non-European Union (EU) based organizations as well.
There are two major objectives behind the introduction of GDPR. First, to bring people’s data in line to understand how this data is being used, especially when tech giants like Amazon, Google, Twitter, and Facebook are offering free services to users in exchange for their data. (In a recent scandal, Cambridge Analytica harvested about 50 million Facebook profiles to compromise the 2016 US election-a classic example of how these tech giants manipulate personal data of a user.)
The second objective is to offer more clarity to the organizations over a level of environment that dictates how they need to behave. By making data protection guidelines uniform over all the EU states, it is supposed that the EU companies will collectively save €2.3 billion per year.
Key Points in GDPR :
As the makers say, “The GDPR is not a revolution but a mere evolution of current EU laws.” The GDPR is expected to enhance data subjects along with rights and the enforcement capabilities. GDPR makes it mandatory for all the organizations and companies processing data from EU citizens to comply with the rules and regulations.
The GDPR emphasizes on consent, control, and clear explanation intended to elevate users understanding to reckon the way they are monitored online. Even since internet dominated and commercial web penetrated our lives, organizations were motivated to compile user’s data for monetization. Henceforth, EU empowered its citizens to opt-in instead of facing the burden to opt-out.
Here are some key points in GDPR:
- Data Portability: The new GDPR draft empowers users with the right to data portability. Thus, consumers are now free to obtain and reuse their personal data across different service platforms at their own will. Undoubtedly, this user-centric approach will make it a lot easier for the consumers to switch between services resulting in voiding the problem of ‘lock-in’.
- Right to Erasure: From now on organizations will generate personal data but will no longer have its ownership. ‘Right to Erasure’ is an official term for the data that needs forgetting. Using this specific rule, consumers can now ask the organizations to erase their personal data preventing its use in specific circumstances. In spite of having numerous exceptions to this, the new right to erase guideline is built on previous right to be forgotten established in ECJ case law, 2014.
- GDPR Breach Notification: GDPR in no any sense promises a reduction in the data breach or hacking of personal data. Remember, an attempt at a personal data breach has the potential to impart detrimental effects on the life of an individual (as if; online shaming, loss of confidentiality or financial loss). In such event, it is the duty of an organization where this personal data breach takes place to inform the individual and report the same to relevant supervisory authority or face a fine.
- Direct representation by NGOs: GDPR empowered consumers all over the EU with a right to ask an adequate NGO in bringing claims against data processors on their behalf. In addition to that, GDPR authorized EU countries to bestow such NGOs with a right to take collective action. It is believed that such liberty might result in significant increase in the number of litigation class action suits immediately GDPR comes into effect.
- Ownership & Accountability: The GDPR mandates organizations to document their compliance with a new set of rules and standards. Right from recordkeeping obligations to use of privacy impact assessment everything needs prompt reporting. According to new GDPR draft, a public body involved in data processing activities needs to hire a data protection officer, as do companies whose core activities involve data processing requiring regular individual monitoring. Thus, organizations are free to appoint a data protection officer or EU legal representative to help them understand, implement, and comply with GDPR.
- Fine & Penalties: Penalties for companies who fail to meet the new GDPR amendments have increased to up to €20 million or 4% of annual global turnover whichever is higher.
- International implications: It does not matter from which location you are processing personal data of EU citizens; even, the rules in place where EU citizen’s personal data is processed does not matter. What matters is if your organization or company is specifically targeting EU citizens to monitor their online behavior then such organizations need to comply with GDPR irrespective of their demographics.
Reference to one of the PwC surveys affirms that more than 68% U.S. based companies will have to incur about $1 to $10 million and another 9% are ready to spend more than $10 million in preparing themselves to meet GDPR requirements.
About 1 million new malware threats loom every day. Consequently, recent Facebook scandal, repeated growth in targeted attacks and advanced persistent threats have caused companies to be more reactive in their approach to cybersecurity. In such unsure and insecure environment, GDPR compliance will definitely offer a competitive advantage to the organizations. Moreover, it will help in boosting consumer confidence in companies and the way they will be handling their personal data. More importantly, the technical and process improvements will result in efficient management and data security by EU based organizations.
Taking GDPR lightly is not at all an option for organizations dealing with personal data of EU citizens. Ignoring or underestimating the GDPR regulations is a great risk one should not take.
Hope you have read and understood the GDPR guidelines and the necessity to comply with it; are you still confident that your organization is ready to meet the GDPR requirements? If not, then get in touch with us.