The General Data Protection Regulation (GDPR) is a regulation in European Union Law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. Its primary aim is to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. The GDPR is a regulation, not a directive, and it does not require national governments to pass any enabling legislation and is directly applicable. The United Kingdom has granted royal assent to the Data Protection Act 2018 on 23rd May 2018, which contains similar protections and regulations.
Replacing the Data Protection Directive, the GDPR contains provisions and requirements applicable to the processing of personally identifiable information of individuals inside the European Union, and is applicable to all the enterprises, regardless of location, that are doing business with the EEA. The regulation dictates that business processes that handle personal data must be built with data protection and must be stored by using pseudonymization or full anonymisation, so that personal data is not available publicly without explicit, informed consent, and cannot be used to identify a subject without additional information stored separately.
A Data Protection Officer (DPO) is a person with expert knowledge of data protection law and practices who is appointed to assist the controller or processor or monitor internal compliance with this regulation. Similar to a compliance officer, managing IT processes, data security and other critical business security issues around the holding of personal data, are some of the tasks that are also expected to be taken care by the DPO.
Data breaches happen inevitably. Information gets lost, stolen or otherwise released into the hands of people who were never intended to see it; and those people have malicious intent. Under the terms of GDPR, not only will organizations will have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it and compelled to protect it from misuse and exploitation.
There are few rights that have been implemented by the GDPR for the benefit of individuals. Some of them are stated below:
This enables individuals to request access to their personal data and to ask how their data is used by the company once it has been gathered and the company must provide a copy of their personal data, even in electronic format if asked.
If consumers wish to withdraw their consent from a company to use their personal data, then this right gives authority to individuals to have their data deleted.
This right gives authority to individuals to transfer their data from one service provider to another. And that must happen in a commonly used and machine-readable format.
This right states that any gathering of data by companies and individuals must be informed before the data is gathered. Consent must be freely given rather than implied.
This ensures that individuals can have their data updated if it is out of date, incomplete or incorrect.
This right ensures the individuals to restrict their data being processed. Their record will remain in place, but not be used.
This right enables individuals to stop the processing of their data for direct marketing. There are no exemptions to this rule, and any processing must stop as soon as the request is received.
If there has been a data breach which compromises an individual’s personal data, the individual has a right to be informed within 72 hours of first having become aware of the breach.
Although GDPR is actually a European Union Law, it could have far-reaching effects beyond European borders, as US-based companies will have to comply with the new regulations while doing business within the EU. Beyond Europe, the law will apply to any business where their data processing relates to the offering of goods and services to EU-based people or the monitoring of online behaviour, including tracking used for internet-based marketing within the EU. This is quite broad in scope and will possibly affect the compliance regime of every ad tech company and their clients worldwide. Few more points on how the GDPR is likely to change the workings of businesses are:
National authorities can assess fines for specific data protection violations in accordance with the GDPR. The fines must be effective, reasonable and dissuasive for each individual case. The authorities have a statutory catalogue of criteria which must be used in taking a decision of whether and what amount of sanctions can be assessed. For the especially severe violations, the fine framework can be up to 20 million euros, or, in the case of a company, up to 4% of their total global turnover in the previous fiscal year, whichever is higher. But even the catalogue of less severe violations sets forth fines of up to 10 million euros, or, in the case of a company, up to 2% of its entire global turnover of the previous fiscal year, whichever is higher.