Are you a business based in EU or do you have operations in the region? Then it is crucial to understand GDPR & its ramifications in post-May 25, 2018 era. Once the regulation kicks in, it will impart new set of ‘personal data rights’ to the citizens here. If any business uses their personal data to meet its objective then it will have to meet the obligations as stipulated in the regulation.
But First, Any Business Must Understand ‘Data Rights’ of EU Citizens
Any citizen of EU has a fundamental right to the protection of personal data. And it is mentioned in the ‘CHARTER OF FUNDAMENTAL RIGHTS OF THE EUROPEAN UNION, Title-II, and Article-8’ which goes as under:
Protection of personal data
Everyone has the right to the protection of personal data concerning him or her.
Such data must be processed fairly for specified purposes and by the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
Compliance with these rules shall be subject to control by an independent authority.
Source– EC EUROPA
To make sure that EU citizens have this right, the Data Protection Directive (Directive 95/46/EC) was adopted in 1995 that regulated the processing of the personal data of citizens within European Union. It was also an important component of EU privacy and human rights law.
Second, It Must Understand That GDPR Aims To Protect New ‘Personal Data Rights’ of EU Citizens
The General Data Protection Regulation (GDPR) which was adopted in April 2016 will supersede the Data Protection Directive and will come into effect starting from May 25, 2018. It is meant to strengthen citizen’s fundamental rights in the digital age, and to simplify rules for companies in the digital age. Once the regulation kicks in, any EU citizen will have following new set of personal data rights:
1. A right to be informed about who is processing his data, what data they are processing, and why they are processing it.
2. A right to access the personal data an organization has about him or her free of charge and in an accessible format.
3. A right to object to the processing of personal data.
4. A right to correct data if he or she believes that the personal data held by an organization is incorrect, incomplete & inaccurate.
5. A right to have data deleted & to be forgotten which allows him or her to withdraw consent & stop personal data from being processed. If that data is no longer needed or is being processed unlawfully, then he or she can ask the data to be erased.
6. A right to have a say when decisions are automated. It means that the organizations that are using algorithms to make decisions about him or her using the personal data must tell them if their decision is automated, give you the right to have such decision reviewed by a person and let them contest the automated decision if the need arises.
7. A right to move data with which he or she may request one service provider to transmit your data to another service provider.
It is a regulatory stride that aims to protect the ‘personal data rights’ of EU citizens and is a welcome regulation.
Third, a Business Must Be Aware of “Costs of Infringing These Rights.”
If any business activity involving data processing infringes the rights of a citizen who suffers ‘material’ or ‘non-material’ damage, he or she shall have the right to receive compensation for the damages suffered.
Any business may be penalized for the infringement of the regulation and the administrative fines up to 10 000 000 EUR, or in case of the undertaking, the fine may go up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
The fine may be higher for certain other infringements & it may go up-to 20 000 000 EUR depending on the infringement made. In case of an undertaking, the fine for the violation may go up to 4% of the worldwide yearly turnover of the previous financial year, whichever is higher.
The fine may be levied on any firm (processing data) doing business in EU even if they are outside EU but are dealing with data belonging to citizens of EU. But there are benefits for firms doing business in EU as well:
Source- EC EUROPA
The two years, after the adoption of the regulation in Aril 2016, has given most firms sufficient time to put in place a mechanism for compliance. As the deadline to implement the regulation nears any firm that is controlling or processing personal data of EU citizen will have to make sure that it is meeting the obligations.
Fourth, Businesses Must Meet GDPR obligations & Respect New ‘Personal Data Rights’ of EU Citizens
Now you can ‘only’ process personal data of ‘natural persons’ that too based on the consent. The purpose is to make sure that an individual understands what he or she is giving consent to. It means that the consent should be given freely, specific, informed and unambiguous and in response to a request made in clear & concise language.
Taking Consent: You should make sure that an affirmative act gives the consent by way of:
• Checking a box online
• Signing a form
*Parental consent should be obtained for kids aged between 13-16 yrs. of age.
“Remember! Where someone consents to the processing of their data, a firm can only process the data for the legitimate purpose for which consent was granted. Furthermore, you must give them the opportunity to withdraw their consent.” – EC EUROPA
Once you have got the consent of the ‘natural person’, you have to make sure that the citizens can exercise their rights over their data.
CITIZEN’S RIGHT-1: To be informed
THE OBLIGATION OF FIRM: Clearly State
• Who are you?
• Why are you processing the data?
• Legal basis
• Who will get this data?
• How long will the data be stored?
• How can consent be withdrawn?
Source- EC EUROPA
CITIZEN’S RIGHT-2: To get access to their personal data free of charge & in an accessible format.
THE OBLIGATION OF FIRM: Once you get a request to access the data, you have to:
• Tell the citizen that they are processing their personal data
• Additional information about processing
• Offer a copy of data that is processed
CITIZEN’S RIGHT-3: To get portability of data
THE OBLIGATION OF FIRM: Once you get a request for data portability, you should:
• Offer the data to another firm in a commonly used and machine-readable format.
CITIZEN’S RIGHT-4: To get data erased (right to be forgotten)
THE OBLIGATION OF FIRM: Once the data controller gets the request to erase the data you should:
• You should delete the data (but there are certain conditions under which you may retain the data)
CITIZEN’S RIGHT-5: To correct the data
THE OBLIGATION OF FIRM: If an individual requests for data and finds that it is incorrect then you should:
• You should rectify the data without delay.
CITIZEN’S RIGHT-6: To object to the processing.
THE OBLIGATION OF FIRM: If an individual object’s to the processing of data:
• You should stop processing of the personal data
CITIZEN’S RIGHT-7: To have a say when the decisions are automated.
THE OBLIGATION OF FIRM: Once the firms get such request:
• Inform the individual about it
• If the individual wants to get it reviewed by a person, you should give this right
• If an individual wants to contest the automated decision, he may do so. (e.g., Loan eligibility check by the bank)
Besides meeting obligations that are aimed to protect individual rights, GDPR has other obligations that are to be met based on risk.
RISK-BASED OBLIGATION-1: Appointment of Data Protection Officer
He is there to gauge compliance with GDPR. A DPO informs employees of the firm about their obligations, serves as single point-of-contact for Data Protection Authority & individuals (‘natural persons’). You must appoint a DPO if:
• You regularly or systematically process special categories of data
• The processing is core business activity
• You process data on a large scale
RISK-BASED OBLIGATION-2: Data Protection by design & default.
A firm may implement data protection by design using pseudonymisation to reduce privacy risks and increase trust. Data protection by design makes sure that your company is making privacy friendly setting the default setting.
Source- EC EUROPA
RISK-BASED OBLIGATION-3: Providing notification in case of a data breach
In the event of a breach:
• You should notify your DPA within 72 hours after you become aware of the breach
• In case of high-risk breach, you should inform all individuals about the data breach.
Fifth, A Business Must Introspect Whether a Data Protection Impact Assessment (DPIA) Will Help?
A firm is into data processing that poses a high risk to the individuals for instance:
• Automated processing for profiling individuals
• Monitoring of a systemic area on a large scale (e.g., CCTV)
• Large-scale processing of health data (e.g., health data)
Source- EC EUROPA
With DPIA it can identify potential risks even before the processing of personal data begins, and breach happens. So by mitigating the risks damages can be avoided and costs lowered. But a firm should get consult DPA if DPIA fails to remove all the risks.
Sixth, Any Business Must Comply Once GDPR Comes Into Effect
Once GDPR kicks in, a business or firm processing personal data of ‘natural persons’ must act in compliance of the regulation as under:
One-You Must Respond To Requests
If your firm receives a request from any EU citizen who wants to exercise his rights, then the firm should:
• Respond to this request within a month of receiving the request
• You must provide the response free-of-charge
• If the request is rejected, then you must inform the individual about the reasons for doing it. The firm must also inform about the right of the individual to file a complaint with DPA.
Two-Demonstrate compliance & maintain records (not mandatory for smaller organizations)
• When DPA inspects, or upon requests, your firm must be able to showcase that it meets compliance.
• Maintain details of reasons for processing data, description of those ‘natural persons’ whose personal data is being stored, details of organizations receiving the personal data, details of data being transferred to another country, storage period of data, details of compliance measures used when processing the data.
• Regularly maintain and update procedures & guidelines and make them known to employees.
For cross-border processing of data, the supervising authority of another country may be the competent one.
Source- EC EUROPA
Finally, a Business Must Not Take GDPR as another Compliance Burden
It is meant to protect the personal data rights for citizens of EU. It gives control of data back to the customers and makes sure that the firms are processing it for the specified purpose without misusing it in any way. And once they are done using it, they are not storing it forever to use it is as feed for automated processing without even making the individual aware of it. And if they are doing, they should do it at their ‘own risk’. The fines are scary enough to dissuade any firm which wants to misuse personal data of EU citizens.