Data Privacy and Data Protection
People sometime thinks that Data Privacy and Data Protection are similar but they are very different but are closely related and complements to each other.
Data Privacy is one of the biggest concern nowadays. Data Privacy is also referred as Information Privacy. Data Privacy is the area of Information Technology which deals with the data in a computer system that one can share with third parties.
Data Privacy is a peach of information which should be taken care while collection and dissemination of data. Privacy is very much related to data which identifies someone and may result into usage of data for any purpose without one’s permission or make the data public. Privacy is important where information in digital or other form which identifies someone, is collected, stored, used and finally deleted. Information collected at various places like health records, Banks, websites, mobile apps, surveys, researches, government etc., may be at risk if not properly stored.
In summary, data protection is about securing data against unauthorized access. Ideally, there must be globally common practices and standards to deal with Data Privacy or at least at the country level. United States deals with Data Privacy in secretarial manner, which means separate law or compliance regulation has been created in response to the needs of a particular section e.g. Children’s Online Privacy Protection Act (COPPA), Electronic Communications Privacy Act (ECPA), Video Privacy Act (VPA) or General Data Protection Regulation (GDPR) of Europe.
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) Act is formulated in April, 2016. EU had given Two year of time to companies to comply with it. This is now set to roll out in May, 2018. GDPR has been formulated to unify Data Protection regulation within the EU and to give control of data back to the users. The new Act will replace the existing EC 95/46, a Data Protection Directive adopted in 1995.
Only technology cannot ensure the privacy of personal data. Privacy protection protocols are still vulnerable to authorized individuals who might access the data. So, the Privacy Law will be much more useful to cope with such authorized individuals rather than technology. Following are the key features of GDPR:
1. GDPR is applicable to all the companies which processes personal data of any customer in the European Union. So, practically it will be applicable to all the company which processes personal data of customers from European Union.
2. Once GDPR is become applicable to the company, it requires to display clearly distinguishable consent terms while seeking data from individuals. The GDPR Regulation states,
“Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.”
3. Automated or non-automated data processing activities will come under the ambit of GDPR.
4. GDPR will NOT be applicable where data processing activities which cannot be tied back to an identified or identifiable person.
5. Data collectors and processors will now have to strictly stick to the purpose for which data being collected and cannot be used for any other purpose without users’ explicit consent.
6. User can revoke his consent at any point of time even if he has provided consent to share his/her data collectors’ partner ecosystem.
7. Data subject has always right to get their data erased in some circumstances where he/she believes that his/her data collected is being collected and/or processed unlawfully. Data collector has to respond in 30 days from subject users inform.
8. The breach of GDPR attracts very hard fines. Non-compliance to GDPR regulations would result in a fine of 10 million EUR or 2% fine of the annual turnover whichever amount is higher. Fines to be stiffer i.e. 20 million EUR or 4% of the annual turnover (higher amount of the two) in case of a serious breach of the core tenets of GDPR e.g. not taking consent from a user while storing/processing data.
This is the era of consumer and regulatory bodies. Be careful while collecting and processing customers’ data. Respect privacy, respect laws and be ethical.