Insight on General Data Protection Regulation
Discussing Data Privacy (General Data Protection Regulation)
Data privacy (General Data Protection Regulation) has been a recurring topic lately. Data privacy is a dynamic term which refers to the appropriate management of personal data concerning consent, notice, sensitivity, regulatory concerns and so forth. Usually, in order to handle data privacy the correct way, an information security system and a methodology are put into place by an organization or a regulator. Data Security and Data Privacy are different terms that are closely related and one affects the other. Data security can be referred to as the principle of protecting data from outsiders, whereas data privacy basically governs how data is collected, circulated and used. Both the terms, although different, go hand in hand and one’s process affects the other. Data security only ensures data isn’t leaked, however, to confirm full ethical use of data, necessary proper privacy provisions need to be put in place. Data privacy issues generally revolve around whether and how data can be shared by third parties and whether data can be legally collected or stored considering regulatory restrictions. Regulatory restrictions demand imperative data privacy. Out of all the data privacy based regulations, the General Data Protection Regulation (GDPR) is the latest and appears to be making the most waves recently.
What is General Data Protection Regulation (GDPR)?
The General Data Protection Regulation is a regulation in the European Union (EU) based on data protection. It deals with data protection and data privacy for all individuals (data subjects) within the European Economic Area (EEA). GDPR not only deals with data privacy but also with human rights law, where it deals with sensitive topics such as consent to share one’s information without or with knowledge. GDPR primarily addresses the transfer of EU based personal data outside the EU or EEA. This means that any EU based data would fall under the scope of GDPR. The main objective of the GDPR is to give back EU citizens the control of their personal data and add a degree of accountability for organizations while handling EU citizens’ data. Personal data may be stored by government organizations, businesses, institutions and other entities for various purposes. GDPR aims to simplify the regulatory process for data storage and protection, ensuring citizens’ personal data is in safe hands. GDPR supplants the older Data Protection Directive (DPD). The Data Protection Directive was an EU based directive adopted in 1995 that overlook personal data processing across the EU. A directive allows countries to freely adopt different data breach based laws as per their interpretations. Conversely, regulations are rules that must be strictly followed word for word. Under DPD, various EU member states such as Germany, Spain, France, etc. were free to adopt their own Data Protection laws as per their understanding of the directive. The GDPR, with the intention to add a degree of uniformity, present regulations that are set in stone which all EU member states must follow.
DPD vs GDPR
General Data Protection Regulation has made several improvements over the previous Data Protection Directive. Firstly, it has redefined the term ‘personal data’. Under DPD, personal data was only limited to names, photos, addresses and personal identification numbers. Now, personal data encompasses a lot of technology-based information like a citizen’s web history, IP address and biometric data like fingerprints and retina scans. This is a much necessary upgraded definition considering technological advancements over the past two decades since DPD was last put into force. GDPR also has introduced much more enhanced individual rights. Privacy considerations are highly progressed compared to the older regulations. Requirements from organizations (data processors) to put specific and unambiguous explicit opt-in for any personal data processing on customers’ end have certainly added a degree of added transparency with regards to personal data collection and processing. The GDPR has also introduced the ‘right to be forgotten.’ This means that EU residents can demand their data to be transferred to another organization as well as permanently delete their data. If such a demand is made by any of the data subjects, the data processors will have to comply without any resistance. Under this right, data subjects can also halt the processing of their personal data to third parties. Organizations also face a compulsion to delete any personal data that is not being used for its original purpose. GDPR also introduces the ‘right to access’. Under this, data subjects will have the right to obtain information from data controllers about how the data would be used, where and when, free of charge. This massive upgrade over DPD allows an added level of citizen empowerment with regards to personal data. Another key difference between GDPR and DPD is that data processors (organizations) are now heavily controlled with several restrictions and added guidelines. As opposed to DPD, where data processors were only persecuted when anything went wrong, GDPR takes a precautionary approach where data processors will have to follow the data controller’s (a National Competent Authority) contractual guidance at all times in order to process data. The GDPR describes a data controller as a “natural legal person, public authority, agency or other bodies, which determines the purposes and means of the processing of personal data.” GDPR has also introduced several guidelines for proper documentation of personal data. Large organizations (typically with over 250 staff) have an obligation to preserve documentation detailing their data protection policies and keep records of their data processing activities. They also have an obligation to carry out periodic impact assessments in areas with high risks of the data breach. In addition, there is a requirement for these large organization to assign the role of a Data Protection Officer, who would be accountable for “regular and systematic monitoring of data subjects on a large scale. The Data Protection Officer would assume the duty of being the focal point for any citizen related data processes. Along with enhanced regulations, GDPR has also levied much heftier fines in case of breaches. Under DPD, data breaches were punished with different (somewhat low) fines, different for each member state. The GDPR, however, has very clear-cut and strict penalties. Personal data breaches must be notified by the data controllers within 72 hours and failure to do so will result in a EUR 20 million fine or 4% of the organization’s global turnover.
Effects of GDPR
GDPR is expected to affect businesses across the EU. It goes without saying that the new regulations will bring about enhanced user experience for consumers. Similarly, it is quite obvious that organizations will face a sundry amount of added costs and formalities in their operations in addition to the need to hire or train a Data Protection Officer. One of the unexpected impacts is on Blockchain technology-based projects. A Blockchain system is basically a public recordkeeping system which is decentralized and highly encrypted. As a result, it allows enhanced security and streamlined processes proving to be cost-effective and efficient for office applications in the long run. Being decentralized, blockchain based projects require data to be shared in all of its systems. This could prove to be a massive roadblock in terms of GDPR compliance. Along with enhanced customer experience, poor customer service due to slowed down processes could also be one of the undesirable impacts of the newly introduced regulations. Popular free services like Facebook, ZoomInfo and YouTube, which primarily run on retail consumers’ data are most likely going to be adversely affected as well.
Although the General Data Protection Regulation is an EU based regulation, it is going to impact businesses in Nepal as well and one can only hope businesses are prepared for it. Any business that deals with EU related data would fall under the General Data Protection Regulation scope. This means multinational institutions based in Nepal would most definitely fall under the scope. Additionally, businesses like hotels, trekking and travel agencies as well as courier services that most likely process EU based data would be impacted too. In Nepal, the GDPR would most likely be aligned with the national data protection laws. If perfectly aligned, data processes complying with the local laws would be adhering to GDPR standards as well. When Nepal adopts aspects of GDPR into its local laws and how much of it is adopted remains to be seen.
Thus one can see General Data Protection Regulation poses both benefits and threats to stakeholders. For EU citizens, GDPR ensures an unparalleled level of safety and privacy of their personal data. Organizations on the other hand face added complexities and costs due to a requirement to revise their processes to incorporate GDPR’s provisions. The usefulness of GDPR compliance isn’t only limited to EU citizens, it introduces an added level of ethicality and optimality to organizational processes too. Furthermore, similar provisions perhaps might be introduced in other parts of the world as user privacy concerns have grown globally along with technological advancements. Hence, it is important for all stakeholders relating to data privacy to familiarize themselves with aspects surrounding GDPR compliance.