What is GDPR?
GDPR, General Data Protection Regulation, is a regulation that focuses on data protection and privacy in the European Union. The GDPR was adopted on 14th April 2016 but became completely implementable on 25th May 2018. It’s been only two years of its implementation, but reportedly thousands of breaches took place after that. Now a lot of questions may arise in your mind like — How things changed due to GDPR? How effective it is? Who regulates it? Who reports the data breaches and to whom?. Certainly, I guess a lot of W’s are associated in your minds with the image of GDPR. So let’s find out answers to your questions.
For the people living inside the EU, you guys must have received a lot of mails addressing a change in the policies of the sender’s organization. And for the people, living outside the EU, most of you are still baffled whether to give ‘permission to access your contacts’ to your calculator or not. Yes, it happens, certainly, there is a lot of irrelevant processing going on about your personal data collected by numerous web services or the apps you use on your phones or laptops. Talking about the Cambridge Analytica case that most of us are already aware of, reportedly more than 50 million user profiles were compromised, later to which Facebook confirmed that the correct number was near 87 million. It happened on a very large scale that’s why we are aware of it. What about the other data breaches that are not even reported? What about that funky game that you installed on your smartphone and gave away all of your personal data just by one click which is being sold to the third party for their own benefits? With so much illegal processing happening, there was a need to impose some regulations to curb these mishappenings and to supervise all these things. And that’s when GDPR came into effect.
The Seven Principles
The GDPR sets out seven principles for the lawful processing of personal data. Processing includes the collection, organization, structuring, storage, alteration, consultation, use, communication, combination, restriction, erasure, or destruction of personal data. Broadly, the seven principles are :
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality (security)
Actors in GDPR
- Controller: Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
- Processor: Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
- Data Subject: A data subject is any person whose personal data is being collected, held, or processed.
Regulatory Bodies in GDPR
- Data Protection Officer: Data Protection Officer is a responsible leadership role required by GDPR which shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices. The DPO is responsible to inform and advise the organization and its employees of their data protection obligations under the GDPR and to monitor the organization’s compliance with GDPR and internal data protection policies and procedures.
- Supervisory Authority: Under GDPR, a Supervisory Authority is an autonomous public authority that is responsible for monitoring compliance for GDPR, helping associations become consistent with GDPR, and ensuring compliance and conducting investigations. The supervisory authority is the body that must be advised in case of a data breach.
What are the things that make GDPR completely unique regulation in the domain of data protection?
- As I already mentioned above, the Data Protection Officer mandate plays a very important role in defining the uniqueness of GDPR. It is compliant in GDPR that the Controller and the Processor shall ensure that the DPO is involved properly and in a timely manner, in all issues which relate to the protection of personal data.
- Plenty of individual rights also adds up to the uniqueness of GDPR. The framework gives an ample amount of right to individuals like Right to Erasure (Right to be Forgotten), Right to lodge a complaint with a supervisory authority, Right to compensation and Liability and many more!
- Breach Closure Mandate, The Article 33 ‘Notification of a personal data breach to the supervisory authority’ states that “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority”
- Talking about the processing of the personal data, it shall be lawful only if the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
What are the GDPR fines and penalties for non-compliance?
Talking about penalties, There are two tiers of administrative fine that can be levied as penalties for GDPR non-compliance: Up to €10 million, or 2% of annual global turnover — whichever is greater; or. Up to €20 million, or 4% of annual global turnover — whichever is greater.
The introduction of GDPR ignited a sense of need to adopt a data protection framework among countries all over the world. The regulation became a model for many national laws outside the EU, including Japan, Brazil, South Korea, Kenya, etc. The California Consumer Privacy Act (CCPA), adopted on 28 June 2018 has a lot of similarities with GDPR so as the Personal Data Protection Bill 2019 of India.