In this digital era, we are facing an ever growing mountain of user data. With the constant growth and application of technology in our day to day lives, organizations of all types and sizes are now in possession of more data than ever before. Data, that is sensitive in nature and requires serious responsibility from those in its possession.
The recent revelation of Facebook misusing user data left everyone shocked. Our sensitive personal information is saved on their databases the moment we agree to their terms and conditions. Furthermore, Facebook has been selling that data to other companies, including our contacts, call logs, facial recognition data and every event you have ever been to. This is without a doubt, a complete violation of our trust and privacy.
Ever since this data scandal, more focus is being placed on data security than ever before. It is now realized that regulations need to be put in place when it comes to data management. Concerned by this never-ending growth of sensitive data, the European Union has come to the conclusion that current directives regarding data security are not sufficient anymore.
So they drafted a new regulation called the General Data Protection Regulation (GDPR).
The General Data Protection Regulation (GDPR) grants individuals better control over their personal information and sensitive data. It is also expected that these progressive regulations will allow businesses to make the most of the opportunities through reinforced consumer trust.
The Changes brought by GDPR
Till now, businesses in the UK run under the Data Protection Act 1998. The act implemented the EU Data Protection Directive 95/46/EC. It is a framework that was constituted when people had a very little online presence, the user data barely contained any sensitive and harmful information and when data was managed in a very manual and old-fashioned way.
As we ascended into this digital era, there was a revolutionary change in the magnitude, types and the rate at which data was being produced. Many discussions have been going on in the EU for the past few years regarding the implementation of a new set of rules to better control the flow of data in this new age of technology.
European Parliament and the Council formally adopted GDPR in April 2016. It was published in the Official Journal on 4th May 2016 and came into force on 24th May 2016.
There’s a two year implementation period before it comes into effect. From 25th May 2018, all businesses will need to comply with the provisions of GDPR.
The GDPR focuses heavily on providing individuals with greater control over their private data. It includes a lot of new and increased obligations. Businesses that reside in EU or deal with the residents of EU member states from anywhere in the world will need to adhere to such obligations, including the elements described below:
Key elements of GDPR:
Rights of Individuals
- The Right to Be Informed
- The Right of Access
- The Right to Rectification
- The Right to Erasure
- The Right to Restrict Processing
- The Right to Data Portability
- The Right to Object
- Rights in Relation to Automated Decision Making and Profiling.
The General Data Protection Regulation (GDPR) grants individuals better control over their personal information and sensitive data. There are a number of new data subject rights like the ‘Right to Erasure/Right to be Forgotten’ that will be included in the GDPR. It also introduces the enhanced versions of the old ones (e.g. Right to Information). Individuals have a right to be informed by an organization whether or not it is processing personal data that relates to them. The request is called a 'subject access request' and there's the limited legal timeframe to comply with it. Under GDPR, the timescale to respond to a 'subject access request' has been reduced to 30 calendar days from 40 calendar days.
From now on, businesses are obligated to make sure, that individuals are properly informed about the collector and the purpose of collecting the information. The right ‘Information to be provided on collection’ also requires organizations to edit their privacy policies in regard to GDPR.
Right to Erasure / Right to be Forgotten
Directive 95/46/EC provides a person with the right to request the search engines to eliminate from the list of results (based on the search of a person’s name), all the links to web pages that are published by third parties containing a person’s information.
It allows individuals an eligible right to request that their data be erased. However, certain grounds need to be met before the information is taken down (For eg: Information in concern, no longer serves the purpose of collecting it). Businesses are obligated to erase that person’s information without any delay.
Data Protection Officers
In some cases, businesses are required to appoint a DPO to help them comply with the obligations of GDPR. Under the regulations of GDPR, you must appoint a DPO if you are:
- A public authority (except for courts).
- An organization that carries out monitoring of people on a large scale.
- An organization that carries out large-scale processing of special types of data like health records and criminal convictions.
Data Protection Officers have the authority to rely on company resources to do their job or even their ongoing training. They must be provided access to the company’s data processing, operations personnel, and sufficient independence to conduct their roles and a direct communication line with the highest level of management in the company.
Data Protection Impact Assessment
GDPR requires the controllers to report any kind of personal data breach to the authorities (ICO) without any undue delay, within 72 hours of detecting the breach.
In certain cases where a breach of data poses an immediate threat to the individual’s rights, the data controllers are also obligated to inform the person of the data breach with no undue delay.
Fines and Reinforcement in terms of GDPR
Previously, with the Data Protection Act 1998, the monetary penalty was a maximum of £500K. Under GDPR, the potential amount that a data protection supervisory authority may impose will be increased substantially. A maximum fine of up to €20m or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher will be imposed on the organizations that don’t follow the rules.
Individuals also have the right to claim for any damages that they receive due violation of the GDPR.
Businesses must understand all new and enhanced regulations and make sure their data management practices follow these new guidelines. It is crucial for every business now to alter their data management regimes to avoid the risk of falling behind.
At the end of the day, it’s all about building trust. Customers will only deal with a business, if they trust it to keep their private information private.