The EU General Data Protection Regulation (GDPR) is the most important change in the data privacy regulation in the last couple of decades. The GDPR was approved by the EU Parliament on April 14, 2016 and will be effective from May 25, 2018. The GDPR replaces the Data Protection Directive 95/46/EC and will be applicable in blanket across all the 28 countries in Europe to protect and empower all EU citizens’ data privacy. Elizabeth Denham, the UK’s information commissioner, has called the GDPR as an “evolution” rather than a complete “revolution” indicating it to be a process and not a complete package.
Individuals, organisations, and companies that are either controllers or processors of personal data in EU will be covered by GDPR. All personal data are covered by GDPR. It can either be name, address, IP address, genetic data, religion, political views, sexual orientation etc.
Any companies which fall under the following brackets are required to comply with GDPR: A company present in the EU country; company not present in the EU but it processes personal data of European residents; company has more than 250 employees; company has less than 250 employees but its data processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data.
So the GDPR dragnet is spread far and wide. Data can only be processed lawfully in any one of the following scenerios:
- The data subject has given specific consent to the processing of his or her personal data.
- Compliance with a legal obligation to which the controller is subject.
- To protect the vital interests of the data subject.
- For the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- For the purposes of the legitimate interests pursued by the controller or by a third party.
Pseudonymisation of data is a process that transforms personal data in such a way that the resulting data cannot be attributed to a specific data subject. An example of pseudonymisation is encryption, which renders the original data unintelligible and the process cannot be reversed without access to the correct decryption key. The GDPR requires that this additional information — the decryption key — be kept separately from the pseudonymised data. Though pseudonymisation is recommended to reduce the risks to the concerned data subjects and also help controllers and processors to meet their data protection obligations, they are still considered personal data and are covered by GDPR.
Data subject are the people whose data are being processed and their rights include:
Right of access: It gives the citizens the right to get access to their personal data and about how these data are being processed. A Data Controller has to provide, upon request, an overview of the categories of data that are being processed.
Data portability: The data subject should be able to transfer their personal data from one electronic processing system to another without any restrictions. However, data that has been sufficiently anonymised is excluded from such obligation.
Right of erasure: A right to erasure of the data.
Data protection by design and by default: It means that the privacy settings must be set at a high level by default and that technical and procedural measures should be taken care by the controller in order to make sure that the processing, throughout the whole processing lifecycle, complies with the regulation. Controllers should also implement mechanisms to ensure that personal data is only processed when necessary for each specific purpose.
Records of processing activities: Records of processing activities must be maintained, that include purposes of processing, categories involved and envisaged time limits. These records must be made available to the supervisory authority on requests.
Under GDPR, the data controller will be under a legal obligation to notify the supervisory authority without delay about a potential data breach within 72 hours after becoming aware of the data breach.
The cost of non-compliance of GDPR is huge. The GDPR establishes penalties for breach which enables the data processing authority to impose fines for some infringements of up to the higher of 4 per cent of annual worldwide turnover and ¤20 million. These penalties are against both data controllers and data processors. Some of the acts which attract these penalties are:
- Infringements of the rights of data subjects.
- International transfers of personal data.
- Failure to implement or adhere to a subject access request process.
- Failure in obtaining consent for data processing.
For other less egregious breaches would attract a fine of up to the higher of 2 per cent of the annual worldwide turnover and 10 million euro. Some of the acts which attract these penalties are:
- Failure by data controller in relation to the engagement of processors.
- Failure to report breaches.
- Failure to appoint a data protection officer, if such appointment is required pursuant to GDPR.
- Failure to implement measures to ensure privacy by design.
The cost of compliance of GDPR is huge as is the cost of non-compliance of GDPR. With a vast requirement for compliance, the cost for companies will run into multi million dollars based on the size of the companies.
So irrespective if one likes it or not GDPR is here to stay and the requirement for compliance is essential. This is applicable to Indian companies too which deals with the EU data. There is no shortcut or a magic wand which will help you comply with the GDPR but should be an inherent process by which the outlook of a company has to be changed which requires compliance with the GDPR requirement.
(The writer is the global head of legal in a major information technology company)