The Complete Guide To GDPR In 2020
The General Data Protection Regulation (GDPR) is the EU’s new data protection legislation in which it replaces the 1995 Data Protection Directive. Publishing of GDPR took place in May 2016 and it was legally effective from 25 May 2018. The GDPR strengthens and unifies the data protection for individuals within the EU, as well as addresses the export of personal data outside the EU. The regulation harmonizes data protection law throughout the EU. It took years in the making and it replaces the last major piece of EU privacy law which dates from 1995.
WHAT ARE THE CHALLENGES FACED?
As data is transforming the world economy, its analysis and regulation have become essential. A report of 2013 by Deloitte stated that “the amount of data produced across the globe is estimated to be growing at 40% per year and, as far back as 2008, 9.57 zettabytes of data was processed by enterprise servers across the globe. This is equivalent to 6 GB of data for each person on the planet every single day.”
With digital transactions and information becoming the new norm and, to some extent, indispensable, individuals and institutions have become more exposed. Rapid technological developments have brought new challenges for the protection of personal data on the global level due to an increase in the scale of data sharing and collecting has increased dramatically. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Individuals increasingly make personal information available publicly and globally.”
AFTER GDPR WAS INTRODUCED
Europe has been at the forefront of data protection, which reflects the aspiration of the European population to a great extent. For many in Europe, privacy has been a priority. And this led to the passing of a groundbreaking legislation on data protection, which has not only affected Europe but even businesses around the world and here in India.
The regulation applies to the processing of personal data of a person who is in the EU, regardless of where the data is processed in the EU or outside of the EU. Basically, if any business in the world is doing any work or business with any EU data subject, they need to comply.
Hence, if an Indian company has data of any person based in the EU, they have to be in compliance with the GDPR. This includes companies that are generating any leads of EU citizens, marketing to any EU businesses or citizens, showing an ad to EU citizens online or even making a sales call to people or businesses from the EU.
If any company is found to be in contravention of the GDPR compliances, the law proposes a heavy penalty which imposes a penalty structure of 20 million EUR or 4% of global turnover, whichever is higher. Additional compensation also has to be given to natural persons whose privacy rights have been violated.
This is why no business can really afford to ignore or not comply with GDPR.
SECTORS IMPACTED BY GDPR:
- The IT sector and the ITeS will be impacted heavily as explained above;
- Advertising, and in particular, the digital marketing industry will be affected;
- Telemedicine, health record management services, and medical tourism;
- Fintech sector and digital banking sector as they would cater to the needs of Indians living in the EU;
- Blockchain and IoT, Software as a Service;
- Aviation sector: Indian carriers can have people with EU passports flying with them;
- Hospitality sector: Hotels can have clients with EU passports;
- Cloud computing: Servers can be storing data which belong to EU citizens;
- Online retail: Think about a citizen from the EU who travels to India and shops something on Flipkart.
- Import-export: if they have to work with clients in Europe;
- Law firms, accountants, and other consultants: service providers with EU clients are also impacted.
WHY IS GDPR IMPORTANT?
With the growth of digital networks and the internet, there is also a growth of privacy concerns. The online space needed GDPR for their development but at times this was uncalled for and contradictory to the interest of the end user as it requires your personal data which should never be shared.
Some recent developments about data misuse brought to light the aspect of data misuse and how users were not even aware how and why their data was being collected while businesses had huge inventories on them creating data leaks in the company. This created an impact on the public and they started caring about these issues but there was increased mistrust between the users and businesses because the laws were outdated and users had no way to control their data.
That is how GDPR was born. It is important and why everyone must care about it is because:
1. It reconciles the trust between users and businesses
2. Makes the working process easier
3. Gives ownership of data rightfully to the user
4. Protects from unauthorised use of data
WHY YOU SHOULD LEARN GDPR
Personal data is valuable and there are no two ways about it. Data helps in developing business models, gaining an understanding of its customers and developing its product and services. For the last few years, we have seen headlines of personal data breaches and scandals from Facebook, Ebay and Uber. Here are 9 points which tells you why one should learn GDPR:
#1 Creating an awareness in the company
The ICO urges businesses to start planning for GDPR as soon as possible, so that you can have time to address budgetary, IT, personnel, governance and communications implications.
Important people and decision-makers of the company need to be aware of the new legislation, so they can understand the potential impact and identify the areas that require attention for compliance.
#2 Auditing personal data
The GDPR updates rights for a networked world and it makes organisations responsible for proving they comply with the data protection principles, like having effective policies and procedures in place.
Example: if you accidentally share some data to another person or another organization, than it is your responsibility to tell the same to the organization from where you have got the information so that they can insure that they can recollect the data as soon as possible
#3 Updating privacy notice
When you collect personal data from someone, you probably use a privacy note containing DPA compliant information which can be your identity or how you intend to use their information. Under the new regulations, you’ll have to tell people some additional things compared to the DPA for more security reasons. For example, you’ll need to explain:
- Your legal basis for processing the data
- Your data retention periods
- Their right to complain to the ICO if they think there’s a problem with how you’re handling their data
#4 Review your processes around Data Privacy Impact Assessments (DPIAs)
It may require to carry out a privacy impact assessment (PIA) in a high-risk situation such as a new technology deployment, or where operations are likely to significantly affect individuals.
To prepare for such an eventuality, the ICO recommends familiarising yourself with their PIA Code of Practice so you can work out how best to implement DPIAs in your organisation. You can also think about where it might be necessary to conduct a DPIA in your organisation. Who will do it? Who else needs to be involved? Should the process be run centrally or locally?
#5 Reviewing the procedures in order to support individuals’ rights
The new legislation covers the same principles as the DPA, but with significant enhancements. The most important thing here is to make sure you have the procedures in place so you can comply with. Example- an individual’s request to provide them with the data you have on them electronically and in a commonly used format.
The main rights for individuals under the GDPR are to:
- Allow subject access
- Have inaccuracies corrected
- Have information erased
- Prevent direct marketing
- Prevent automated decision-making and profiling
- Allow data portability
#6 Identify and document your legal basis for GDPR
Under the GDPR, some individuals’ rights will be modified, depending on the legal basis for processing their personal data. For example, a person or organization could have their data deleted where you use consent as your legal basis for processing. So they need to understand the various types of data processing carried out, identifying legal basis for carrying it out, and document it.
#7 Review how you seek, obtain and record consent
If you rely on individuals’ consent to process the data, make sure it meets the standards required by the GDPR. If not, alter the consent mechanisms or find an alternative to consent. This way the GDPR is clear that data controllers must be able to demonstrate that consent which was given. So you may need to review the systems you have for recording consent and ensure you have an effective auditing trail.
#8 Reviewing the data that you hold on to children
For the first time, the GDPR will bring in special protection for children’s personal data. So if your organisation collects information about children under the age of 13, you will need parental/guardian consent to process their data lawfully and the data will not be leaked as many of the children uses the same data in future
#9 Establishing procedures in reporting and investigating a personal data breach
The GDPR requires that all organisations will notify the ICO of all data breaches where the individual is likely to suffer some form of damages, such as through identity theft or a confidentiality breach or data leakage. So you need to set up processes to detect, report and investigate breaches.Note that failure to report a breach could result in a fine, as well as a fine for the breach itself.
GDPR has set a golden standard for data protection compliance, all over the world. It’s fairly safe to say then that the GDPR is having a global impact, and the future of data privacy looks somewhat bright.