This post was first published on my corporate blog
With the help of advanced business analytics and AI, companies are using the power of data to its best use. But what is this data? It comprises of personal details of citizens of the European Union (EU). Therefore, it is imperative to act according to a set standard of consumer rights in order to protect the data from being misused.
The standard by which the EU is currently working with the Data Protection Act was formed in the year 1998. The world of business intelligence has advanced beyond expectations since then. In the modern world, consumer data can be exploited in unimaginable ways. The need for a more comprehensive regulation that protects the consumer data from being exploited in the current world scenario is a must. Thus, the formulation of all new General Data Protection Regulation (GDPR).
What is GDPR?
In simple words, GDPR that is slated to come into effect as on 25th May 2018, is a regulation designed to protect the personal data of citizens of the European Union from possible misuse by the corporates. Non-compliance with the strict regulations of GDPR may result in hefty fines for the businesses.
GDPR will supersede the previous Data Protection Act and with refined and stricter regulations, EU hopes to safeguard customer privacy in the upcoming Digital Economy.
The provisions of GDPR is consistent across the 28 European Union member states that make it only one standard required to be met by the businesses. Although, the guidelines are strict and the standard expected by companies operating under EU is severely high; adhering to the GDPR will ensure a smooth running of a business for the enterprises.
Not only will GDPR act as a stringent master in controlling the customer privacy and data, it will also make the business atmosphere simpler for EU companies. GDPR is expected to offer a simpler legal environment for businesses to operate by making the law for data security identical all through the single market.
Who and How does GDPR effect the companies?
GDPR is aimed at making businesses more accountable for protecting and monitoring data of the customers. These data include-
- Customer identity including IP address, location, RFID tags, and cookies.
- Genetic and general health data
- Biometric Data
- Ethnic/ Racial data
- Political belief
- Sexual Preferences
GDPR essentially is applicable to every company that accesses, stores, processes, any kind of personal data of any of the EU citizen. It does not matter whether the presence of the business is within EU states or not, the company still has to comply with GDPR if it uses EU citizen’s data in any way. For any company with more than 250 employees GDPR is mandatory, but even if the company operates with less than 250 employees and uses the data of the EU citizens, it must comply with the GDPR.
The Six principles of GDPR You Must Know About
Emphasizing the aim to drive the GDPR compliance, the six principles summarize the main responsibilities of the organizations towards managing the personal data of the consumers. These six principles are:
1. Fair practice, Lawfulness, and Transparency
The first law of GDPR says that personal data of any kind must be processed impartially, lawfully and with transparency. In order to follow GDPR lawfully, the companies must meet the data acquisition and processing criteria laid out in the guidelines.
2. Legitimate Purpose Limitation
The principle clearly states that the personal data can be collected for explicit, legitimate, and specified purposes only. Although the scope in GDPR is widened for certain categories, the principle essentially means “do what you say and say what you mean”.
3. Data Minimization
According to article 5, clause 1© of the law, the personal data collected must be relevant, adequate, and limited to only the necessary info with reference to the purposes for which they are to be processed. The principle explicitly means that nothing more than the bare minimum required data should be retained for processing.
4. Accuracy of Personal Data
The principle states that the accuracy of data must be maintained. Care and protection must be taken to safeguard personal data from theft and leaks. Also, rectification of the inaccurate personal data must be done without any delay.
5. Limitation on Storage of Data
The principle applies to limit the storage of unwanted data. Data that is no longer required must be securely removed. There are a few exceptions added to this principle such as the data collected for scientific purposes and for the public interest.
6. Confidentiality and Integrity
The principle comes as a result of protecting the fundamental right of data security. The integrity and confidentiality of data must always be maintained. Controlling the number of people accessing the data is a great way of achieving it.
Rights of Data Subjects under GDPR
Data subjects are essentially the ones whose data is being captured. In cases where the data subjects want to exercise their rights, the processors have to be answerable to them under the scope of their rights. There are 8 fundamental rights for data subjects, listed as under:
1. The right to be informed
The GDPR asks the processors or data collectors to dutifully and clearly inform the subjects regarding the data storage and their rights towards the data procured.
2.The right of access
The data subjects have the right to know how the data concerning them are being processed.
3. The right to rectification
In case of a scenario where the personal data is incorrect or false, it is the responsibility of the data collectors to correct it with immediate effect.
4. The right to erasure
The data subjects have the right to ask to be forgotten i.e. to get their personal data erased.
5. The right to restrict the processing
There may be certain circumstances where the data subject may not be able to get the data erased or forgotten but can restrict the processing to a certain extent. For example, in defense or legal claims cases, this right can be exercised.
6. The right to data portability
Data subjects enjoy the right to transfer their data from one online platform to another.
7. The right to object to processing
As stated in the clauses of GDPR, the controllers (data collectors) must process the data lawfully and with full transparency. However, in cases where the lawful bases are not absolute, the data subjects have the right to object.
8. Rights in relation to automated decision making and profiling.
Data subjects can use their rights in certain cases with respect to profiling of their information.
The Obligation of Data Controllers
Under GDPR, as soon as an enterprise gain access to the personal data of the consumers, it becomes obligated to use it responsibly and follow all the principles and guidelines stated in the regulation. As a data processor/ controller, the following obligations holds great significance
- Proper implementation of appropriate technical and organizational measures to ensure and demonstrate that the data controllers comply with the principles of GDPR. Internal data policies such as processing activities audits, HR policies review, and staff training may be included in it.
- To maintain relevant documentation regarding processing activities.
- Wherever required, the appointment of a qualified officer to monitor data protection should be done.
- Implementation of adequate measures that suffice the principles of data protection at the time of designing the process itself.
- The inclusion of data protection impact assessments wherever required.