What is the General Data Protection Regulation (GDPR)?
Data Privacy and Data Protection
People sometimes think that Data Privacy and Data Protection are similar, but they are very different and closely related, complementing each other.
Data Privacy is one of the biggest concerns nowadays, also referred to as Information Privacy. It is the area of Information Technology that deals with the data in a computer system that one can share with third parties.
Data Privacy is a piece of information that should be taken care of during the collection and dissemination of data. Privacy is closely related to data that identifies someone and may result in the usage of data for any purpose without one’s permission or making the data public. Privacy is essential when information, in digital or other forms, that identifies someone is collected, stored, used, and finally deleted. Information collected at various places like health records, banks, websites, mobile apps, surveys, researches, government, etc., may be at risk if not properly stored.
In summary, data protection is about securing data against unauthorized access. Ideally, there must be globally common practices and standards to deal with Data Privacy, or at least at the country level. The United States deals with Data Privacy in a sectorial manner, meaning separate laws or compliance regulations have been created in response to the needs of a particular section (e.g., Children’s Online Privacy Protection Act (COPPA), Electronic Communications Privacy Act (ECPA), Video Privacy Act (VPA), or General Data Protection Regulation (GDPR) of Europe).
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) Act was formulated in April 2016, and the EU gave companies two years to comply with it. It was set to roll out in May 2018. GDPR has been formulated to unify Data Protection regulation within the EU and to give control of data back to the users. The new Act replaces the existing EC 95/46, a Data Protection Directive adopted in 1995.
Only technology cannot ensure the privacy of personal data. Privacy protection protocols are still vulnerable to authorized individuals who might access the data. So, the Privacy Law will be much more useful to cope with such authorized individuals rather than technology. The key features of GDPR include:
- GDPR is applicable to all companies that process personal data of any customer in the European Union.
- Once GDPR becomes applicable to the company, it requires displaying clearly distinguishable consent terms when seeking data from individuals.
- Automated or non-automated data processing activities will come under the ambit of GDPR.
- GDPR will NOT be applicable to data processing activities that cannot be tied back to an identified or identifiable person.
- Data collectors and processors will now have to strictly adhere to the purpose for which data is being collected and cannot be used for any other purpose without the users’ explicit consent.
- Users can revoke their consent at any point in time, even if they have provided consent to share their data with collectors’ partner ecosystem.
- Data subjects have the right to get their data erased in some circumstances where they believe that their data is being collected and/or processed unlawfully. Data collectors have to respond within 30 days from the subject users' information.
- The breach of GDPR attracts severe fines. Non-compliance with GDPR regulations would result in a fine of 10 million EUR or 2% of the annual turnover, whichever amount is higher. Fines become stiffer, i.e., 20 million EUR or 4% of the annual turnover (the higher amount of the two) in case of a serious breach of the core tenets of GDPR, e.g., not taking consent from a user while storing/processing data.
Conclusion
This is the era of consumers and regulatory bodies. Be careful while collecting and processing customers’ data. Respect privacy, respect laws, and be ethical.