In the midst of a global uproar against injudicious use of personal data by businesses and public organizations, the European Parliament adopted the General Data Protection Regulation(GDPR) in April 2016, which was enforced on 25 May 2018 after a 2 year transition period, post which non-complying institutions can face heavy fines. Any enterprise, operating in or out of Europe, which possesses or processes data of EU citizens is obligated to abide by GDPR norms, which have replaced the Data Protection Directive 95/46/EC. GDPR lays down guidelines to be followed by institutions supplying good or services to EU citizens, in order to restrict the possession and use of an individual’s personal data, by necessitating consent.
Why?
Various enterprises all over the globe possess sensitive user data that can be abused and stolen for immoral and illegal endeavours without user consent or knowledge, putting information and identity of individuals at risk. Many companies obtain personal information in order to study customer behaviour without the knowledge of the individual whose data is being shared and studied. Sensitivity of the data protection issue became amply clear in the Facebook-Cambridge Analytica controversy, as Cambridge Analytica harvested data of an estimated 87 million people without their consent and used this data to influence the USA Presidential elections.
GDRP is an initiative to ensure privacy of internet users in the EU, and to ensure consent, by clearly specifying how customer data can be used and protected by enterprises. With the digital universe expanding at a rate of 40% per year, data created and copied will reach 44 zettabytes (44 trillion gigabytes) by 2020. GDPR is a calculated move to prepare for this rapid data expansion.
What does GDRP contain?
The major requirements of GDPR are below:
Consent: While engaging users, enterprises are required to use easily understandable terms and conditions devoid of legal jargon or legalese. Additionally, it must be as easy to withdraw consent as it is to grant it.
Breach Notification– Should the data subjects, individuals whose data is being held, collected or processed, become victims of a data breach, the company should notify the controllers and customers within 72 hours.
Right to Access– Data subjects have the right to obtain/ access data on them by demanding a portable copy of their personal data held by data controllers.
Right to be Forgotten– When a data subjects personal data has fulfilled its original purpose, the subjects can demand the controllers to erase their personal data from their records and cease its dissemination.
Data Portability– This enables individuals to obtain and transfer their personal data to another data controller. As part of this, controllers are required to maintain the data in an interoperable, machine-readable format so as to enable machine portability.
Privacy by design– Any institution in possession of personal data has to ensure data protection from the very beginning, starting from the designing of the system to taking necessary technical and infrastructural measures. Default settings of institution should be high on privacy. Additionally, only data relevant to the enterprise should be collected and processed by the them.
Data Protection Officers– Professionally qualified officers must be appointed in institutions, both public and private, that engage in large-scale(>250 employees) systematic monitoring or processing of personal data.
What are the consequences of non-compliance?
GDPR is one of the strictest set of regulations in place to safeguard personal data with a single set of laws applying to all EU member states, each of which is required to establish an independent Supervisory Authority(SA) to investigate complaints. A European Data Protection Board will coordinate all the SAs throughout the union. Punishments for non-compliance can go from a warning in writing(for unintentional non-compliance) to €20 Million or 4% of the company’s annual worldwide turnover, whichever is higher.
What does this mean for businesses?
Businesses globally will be affected by GDPR, even though it is only applicable in to EU citizens, since EU contributes 24% of the world’s GDP which makes it an indispensable and crucial part of businesses worldwide. The very implementation of GDPR, poses many challenges as the costs of compliance, that is the infrastructural and technical changes required under GDPR to ensure data protection, are humongous to the tune of 550,000 US$. Additionally, such cost implications would prove to be a disadvantage for startups and smaller firms since the costs may hamper compliance, while the bigger firms like Facebook and Google, which possess more personal data, would find it easier to comply. Barriers put in place on the commercial use of personal data further restricts profiteering opportunities.
The growth of data is indomitable, which is why the need for privacy and security is unavoidable. GDPR, despite its compliance issues and difficulties, sets a good precedent for the world which is increasingly becoming more vulnerable to data threats. It is the right of every individual to be in-charge of their data and to prevent its dissemination and use by ghost enterprises to ensure privacy. Big Data can revolutionise the world, which is why it is necessary to ensure that “the processing of personal data should be designed to serve mankind.”
Post Disclaimer
The opinions expressed in this essay are those of the authors. They do not purport to reflect the opinions or views of CCS.
