In this 21st century of ours, the world has benefited tremendously from the ability to collect, process, analyse and share data and use it to provide personalized and powerful services to customers and businesses. But this prevalence of data brings a penalty of risks too, including unwelcome privacy intrusion and nefarious breaches. These days data can really get around from one side of the world to the other side in an instant. Not surprisingly, people are demanding more control over the personal
data related to them. There are new ways of governing and protecting a subset of the multitude of data floating about, we would be discussing about General Data Protection Regulation (GDPR) a legal frame work that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). Much has happened in the realm of data collection and processing in the past decade, especially online, and the Data Protection Directive doesn’t effectively cover some of the things. The GDPR is a reaction to those kinds of concerns about the growing need for data protection.
GDPR is short for General Data Protection Regulation as the name itself states, it’s a legal framework to regulate data protection. It’s a regulation put forth by European Union (EU), with an effective date of May 25, 2018. The world these days revolves around data, some of it is pretty general and public, however much of the data is highly personal to each and every individual, such as each person’s name and address, his or her medical records and bank account information, photos, videos and passport information. The GDPR intends to help protect that data and provide enhanced rights around it.
GDPR is an EU (European Union) regulation, so it affects an organization that is located within EU member states, it also applies to non-European companies that are operating in EU member state. GDPR applies to any organization (anywhere in the world) that process data about the EU individuals. It applies to us in a variety of ways, its requirements have an impact on data storage, processing, access, transfer, and disclosure. It spells out how they interact with data subjects and how they must respond to various requests we might make of them. And it’s well worth paying attention to the requirements of the GDPR. That’s because the potential penalties for running afoul of the GDPR can be rather large- up to 4% of an organization global revenue or €20 million, whichever is greater.
Privacy and information rise to the top of the agenda with the advent of GDPR. Under it mandates and principles, privacy requirements apply to just about every kind of relationship.
- Business to Consumer (B2C): The Requirement brings duty of care to the EU personal data.
- Business to Business (B2B): Their GDPR related obligation extends into third party relationships involving processing.
- Business to Employee (B2E): If EU data subject is their employee, their data on that person is within the scope of GDPR.
It’s also worth noting that GDPR is what’s known as principles-based regulation. That means organizations are responsible for considering what obligations they may or may not need to meet, all based on the unique and specific circumstances of their business and their use of data.
The organization needs to fully understand how they use their information assets to ensure that they are incorporating the various new data privacy requirements. How a data weaves its way through many different systems and processes, they have to do a thorough evaluation of their current and future data capabilities and be ready to make major adjustments in their information management practices. Like any regulation, the GDPR includes all kinds of specifics to which organization must pay attention. Here are some of the basic requirements:
- The ability to facilitate data subject rights, such as access, correction, objection, erasure, and data portability,
- The implementation of design controls relating to the data protection of lawfulness, fairness, and transparency,
- Limits on purpose for which they may process and store data,
- Data minimisation (including pseudonymisation, or the replacement of identifying data with pseudonyms),
- Accuracy of data,
- Storage limitation integrity and confidentiality, and
- Accountability
Under GDPR, it's important that they take a look at data security and data governance across the enterprise. Before making any processing decision that involves personal data, they need to put the risk under a microscope and focus on the rights and freedoms of the EU (European Union) data subjects.
Responsibilities of the organization:
For every organization that does data monitoring on a large scale, a data protection officer must be named, according to the GDPR. It also put forth the idea of pseudonymization, whereby identifying data is converted in a way that makes it impossible for unauthorized people to trace it back to an individual.
Rights Given to Data Subjects:
The GDPR gives data subjects the right to object to data processing. This means the organization will be required to show they have a legal and compelling reason to continue processing data on that particular subject. The data subject also has the right to have inaccurate data corrected.
Some rights spelled out by GDPR:
- Subject access request: Individuals have the right to ask for the details of any information they have on that individual. The organization needs to be able to provide a copy of the data, information about how they use the data, a list of third parties that might have access to it, and an idea of how long they need to store the data.
- Data portability: Data subjects can ask that organization to pass along their data to another processor.
- Right to be forgotten: Data subjects can ask the organization to permanently get rid of the data on them.
- Notification of breach: If there is a data breach, the organization must notify regulators within 72 hours, and in a typical case, they must also notify the data subjects.