Data is the new oil. And, The General Data Protection Regulation, or GDPR, is a set of rules that regulates it.
This can’t be more relevant today when data is generated in every transaction and online keystroke. Loosely put, it’s your identity rather, variables of your identity, that makes its rounds across various systems around the globe only to “sit” somewhere dormant for a while to resurface or stalk you while you are purchasing something or harmlessly browsing on a website.
Throw in a cross-border transaction on web servers and databases sitting outside of one’s home country, and now we have a motley of issues to deal with in this transfer of personal data.
An enterprise, say, a social media platform, or a video-on-demand platform, a shopping site, can always argue by saying that this data is largely used to craft a better customer experience. But under the garb of customer experience, the chances are you giving these companies much more than what you signed up for.
In most developing economies, companies can no longer take your personal data without your consent and, more importantly, without telling you its usage.
The question is, would you like to be in control of your personal data that’s been shared? Would you like to know what kind of data is taken from you? These are some of the questions that GDPR addresses through its stringent regulations – perhaps one of the most stringent regulations on data protection worldwide.
So, if you receive an email from organizations or businesses that they have updated their privacy policy, it’s thanks to GDPR. When it comes to your personal data, you have rights.
It’s the digital age; data is the price we pay for convenience and technology. Every revolution has a trade-off, and data creation is one such trade-off that GDPR tackles through its provisions.
A Brief History of GDPR
The Council of Europe adopted the Convention 108’ treaty laid the foundation of GDPR as we know it today. Since it was drafted in 1995 (The EU was created by the Maastricht Treaty, which entered into force on November 1, 1993), in the pre-Amazon, pre-cloud days, so to speak, the framework did not adequately address data and technology complexities of the future.
Simply put, data wasn’t still an asset, HTTP was still nascent, online tracking was non-existent. In 1995, the internet penetration in the US was around under 5%, and less than 10% had a home computer. And, mobile telephony was not smart enough.
Clearly, the policymakers of that time did not estimate the pace of technological advancement, which set the ball rolling for a comprehensive data regulation policy.
A question that comes to mind is why Europe took the lead when it came to Data Protection. Come to think it; the framework was way ahead of its time. It wouldn’t have been surprising if the United States came up with a framework in the mid-90s. After all, it was the home of major software and hardware companies. The internet was already beginning to take shape emails, websites, and data-crunching had started to make their presence in corporate America.
If one were to investigate this, we’d have to go back to 1890, where two lawyers Samuel D. Warren and Louis D. Brandeis, laid the foundation of the Right to Privacy. Samuel D. Warren; Louis D. Brandeis Harvard Law Review, Vol. 4, No. 5. (Dec. 15, 1890), pp. 193-220.
So, the ‘Right to Privacy’ did exist in some form a century ago.
Not surprisingly, it also appears in the Declaration of Human Rights proclaimed by the United Nations General Assembly in Paris on 10 December 1948 (General Assembly resolution 217 A).
“No one shall be subjected to arbitrary interference with his privacy, family, home, or correspondence….”
When was GDPR introduced?
One can trace the seeds of GDPR sown sometime in 1995. It started as a Data Protection Directive, DPD, (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995) on protecting individuals about the processing of personal data and the free movement of data.
The modern version of GDPR was put into effect on May 25, 2018. The directive made it imperative for all the member countries to participate and ensure its complete addition with no exceptions.
And, what does it mean?
The General Data Protection Regulation (“GDPR”) is a legal framework that requires businesses/corporations to protect the personal data and privacy of European Union (EU) citizens for transactions that occur within EU member states. Its scope and coverage extend to all entities, corporations that work or deal with the personal data of EU citizens.
For example, if you are in India or the US doing business with any country in the European Union (EU), you need to be GDPR compliant. Meaning, irrespective of the country of origin, if you happen to access, process data of an EU citizen, you are under the GDPR ambit.
The coverage and enforcement are flexible for nations. One could call it a minor headroom. For instance, in the United Kingdom, it’s the Data Protection Act of 2018 that’s in place. Here’s the outline from the Data Protection Act of 2018.
The Data Protection Act 2018 controls how your personal information is used by organizations, businesses, or the government. The Data Protection Act 2018 is the UK’s General Data Protection Regulation (GDPR) implementation.
The General Data Protection Regulation (GDPR) has been in place for around three years and has lived up to its expectation and coverage to protect an individual’s personal data. And, companies on their part have been largely successful in meeting the provisions laid down by the framework.
GDPR – Principles
Everyone responsible for using personal data has to follow strict rules called ‘data protection principles.
The principles that govern GDPR border around how the data is collected, the purpose for which it is collected, the quantity of data collected, its accuracy and storage. From an implementation perspective, the cornerstone of these principles is transparency, fairness, and lawfulness. More importantly, all these principles need to be backed by accountability and must be demonstrable.
Data minimization is another interesting principle. For example, race, sexual orientation may not be required but still are collected by some organizations.
Organizations believe in surplus when it comes to data, and more is always good. Storage is cheap, computations are faster, and machine learning models are hungry for more data points (or features).
The data minimization principle ensures that the data collecting organization does not gather data divergent from the purpose and, more importantly, ensures that no other “extra” information is collected.
Another aspect of GDPR is data portability – wherein personal data can be transferred from one Controller to another with due consent. Needless to say, that transfers are subject to appropriate safeguards.
Specifically, the principles of GDPR as per Article 5 include:
1. Lawfulness, Fairness, and Transparency
2. Purpose limitation – data collected to be used for the stated purpose, i.e., the collected data cannot be used for an extended purpose.
3. Data minimization – data to be collected/processed that’s necessary to the purpose.
4. Accuracy
5. Storage limitation – two aspects to this. Data not be kept or stored longer than necessary. Exceptions to this would be those data points that are processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes but this subject to appropriate technical and organizational measures.
6. Integrity and confidentiality – processed in a manner that ensures appropriate security of personal data.
Conditions for Consent
Consent plays a crucial role in GDPR. And, consent again must be demonstrable. It has to be clear and distinct and not wrapped in legal jargon fastened with exceptions and disclaimers. Consent that is given can also be withdrawn at any time, and hence appropriate measures must be in place. That said, documentary evidence of consent is required for GDPR compliance.
Consent has to be, according to Article 7, “freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
There are also conditions for consent. As per Article 7 – Conditions for consent –
“Where the processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to the processing of his or her personal data.”
Personal Data
While we identify with personal data like personally identifiable information, GDPR also lays down concrete definitions on varied data dimensions like how biometric data, data concerning health needs to be handled.
Artifacts that constitute personal data include emails, name, gender identity, location details, bank details, medical information, IP information or, a photograph. Article 9 talks about handling special categories of personal data like racial or ethnic origin, web cookies, political opinions, sexual orientation. It’s important to note that even hashed, encrypted data under certain conditions can still fall under the ambit of personal data.
There are exceptions, but explicit consent to the processing of more of these data points must be obtained, and the purpose must be as per the Article 9 framework.
The Right to be Forgotten and Rectification
Perhaps this is one of the challenging requirements of the GDPR framework.
Although this ties up one of the core tenets of GDPR, i.e., ‘storage’ – where data cannot be held for an indefinite period of time, the ‘right to be forgotten’ allows a person to have his or her personal data erased and no longer processed in cases where this data is no longer required. Conversely, GDPR also allows the rectification of inaccurate personal data through a structured process.
Information Security
The core of the integrity and confidentiality principle is that personal data must be protected in cases of a breach, including protection against “unauthorized or unlawful processing and against accidental loss, destruction or damage” of personal data.
Meaning, a robust information security policy should be put in place to ensure that information is kept safe and servers and processes hardened to make sure that data breaches do not occur.
The framework is clear on data breaches on how they must be addressed, communicated to the concerned party, etc. All breaches are expected to be addressed promptly by the Controller and must notify the supervisory authority within 72 hours after becoming aware of the breach. Extrapolating the first tenet of transparency, the controller must communicate to the breach clear and explicitly to the fullest extent possible.
Another dimension of this principle from a technical standpoint is information security; thus, GDPR does not delineate the information security guidelines as they could be different for different businesses. A drug company versus a telecom company could have different concerns regarding info security. Both of them collect personal data but for different purposes. A drug company could collect information and handle that information largely in-house for drug trials. But in a bank, you would need much more than just basic personal identifiers.
Controllers Vs. Processors
A framework becomes all-encompassing if there is accountability, or as Nassim Taleb says if there is a ‘skin the game’ woven into the framework. Controllers and Processors fulfill this objective. With data being all-pervasive and its flow from one organizational department to another and sometimes across entities, single-point accountability for personal data becomes difficult to pinpoint.
Therefore, there are clear roles that delineate who is responsible for managing and processing personal data.
According to Article 4 (Definitions), a Controller is a natural or legal person; it can be a public authority or agency (jointly or with others) that determines the purpose and means of processing personal data.
On the other hand, a processor is a natural or legal person who processes personal data on behalf of the controller. From a hierarchy point of view, the Controller is responsible for personal data. For example, in case of a breach, the Controller communicates the breach to the stakeholders involved.
That said, Controllers are the main decision-makers. They overlook all aspects of data collection, purpose, fairness, storage, integrity, and processing. From an entity point of view, Controllers can be a group or jointly be responsible for personal data. Processors act at the behest of the Controllers. But from an accountability point of view, Controllers have more stringent accountability over personal data.
By establishing a system of checks and balances, the Controller and Processor roles clearly bolster the accountability quotient of the GDPR framework.
Read more on the GDPR strategy template and FAQs, here!
Thank you for reading!
Popular posts
- GDPR, Get Your Business Compliant Now!
- How to easily set up your first Display Ad campaign
- Inside Sales Strategies That Work in 2021
- Setup An Awesome WordPress Blog in 8 hrs!
- Best HTML+CSS Free Courses Reviewed (2021)
- Turbocharge your campaigns with negative keywords