From exposing Equifax’s sensitive information of over 140 million Americans to an eBay cyber attack; From extraction of passwords and personal details from over 3 billion Yahoo accounts to a compromise on credit card information of Target customers, data breaches are no more an infrequent phenomenon. Hence, it has become all the more imperative to protect it.
“If you exchange information internationally, you must strengthen data protection. Those are two sides of the same coin.” - Gijs de Vries, Dutch politician
Effective from May 2018, the General Data Protection Regulation (GDPR) is a stringent law in the European Union (EU) that protects the private information of all individuals within EU and the European Economic Area (EEA) along with governing data privacy of externals. It is prophesied that the impact of this regulation will be huge and multi-faceted.
It has supplanted the data protection directive of 1995 that failed to keep up with the changing times. Not restricted to just dealing with privacy, GDPR also holds the potential to transmute businesses of different scales and it most definitely won’t be a surprise if, in the coming few months or years, behemoth companies choose to align their policies with it. Studies also show that it will lead to a generation of multitudes of employment opportunities.
The foremost motive behind GDPR is to promote compliance of all EU and EEA members to the same data regulation framework along with giving residents greater control over their personal data. Even though GDPR is in accord with important terms and clauses delineated by the previous directive, it incorporates major changes as well.
The provisions and stipulations of GDPR are rigid and apply to all enterprises - big or small, french or Italian, partnerships or corporations, etc - irrespective of location as long as they are known to be dealing with private information and are in business with the EEA. This implies that even if the processing of personal information of EU data subjects is done outside the EU, GDPR will still apply.
Breach of the GDPR leads to a sticky situation where the culprit might have to forfeit the greater of the two - 4% of annual global turnover or 20 million euros. This, however, is the maximum fine that can be imposed even in case of the worst violations. In general, the fine is proportional to the implication and seriousness of the infringement.
Making data publicly available has become a Herculean task since the rules pertaining to the same have become more stringent and uncompromising. Unlike previous situations wherein companies would resort to unintelligible and obscure legal jargon to get consent for processing data, GDPR ensures that the request for consent is penetrable and comprehensible. Moreover, it should be as easy to withdraw consent as it is to give it.
“Protecting customer data is much less expensive than dealing with a security breach in which records are exposed and potentially misused.” - Avivah Litan, Vice President of Gartner Research
GDPR ensures that a data breach notification is sent out in risk scenarios within 72 hours. This risk is assessed by the damage to privacy and freedom that can be caused to individuals due to the infringement. It is also incumbent on the data processors to notify the controllers and customers regarding the breach as soon as it comes to their notice.
According to GDPR, data subjects have the right to access information that the controllers have (e.g. Is my data being processed? What is it being used for? Where is it occurring?). The latter is supposed to provide a copy of the private information without demanding any remuneration. Furthermore, data subjects can also make controllers to delete data, stop its circulation and processing along with being able to transmit it to other controllers. These powers bestowed upon the subjects promote data transparency to a great extent.
Earlier, systems were built and then, data protection was incorporated. GDPR ensures that this does not happen and that business processes dealing with personal information involve privacy ‘by design’ i.e., from the very onset. It is imperative for the controller to enforce this by taking all appropriate measures. Secondly, the privacy must also be ‘by default,’ meaning that sensitive data should always be sanitized and encrypted.
In this age of analytics, wealth is measured by how much data you have and a measure like the General Data Protection Regulation was highly called for. Feel free to reach out to us in case of any query regarding the same. We will be more than happy to help out. Thanks for reading!
Avni Mehta and Achin Gupta