General Data Protection Regulation
Data privacy is a dynamic term which refers to the appropriate management of personal data concerning consent, notice, sensitivity, regulatory concerns and so forth. An organization or regulatory body enforce information security system to handle data privacy concerns. Data Security and Data Privacy are different terms. But, are closely related and one affects the other. Data security refers to the principle of protecting data from outsiders. Data privacy governs collection, circulation and use of data. Both terms, although different, go hand in hand and the process of one affects the other.
Data security ensures protection of data. However, to confirm full ethical use of data, necessary proper privacy provisions need to be put in place. Data privacy issues generally revolve around confidentiality, availability and integrity of data. Regulatory restrictions demand for imperative data privacy. Out of all the data privacy based regulations, the General Data Protection Regulation (GDPR) is the latest.
GDPR and Information Security Audit
The General Data Protection Regulation is a regulation in European Union (EU) based on data protection. It deals with data protection and data privacy for all individuals (data subjects) within the European Economic Area (EEA). GDPR not only deals with data privacy, but also with human rights law. By human rights law, it deals with sensitive topics such as consent to keep one’s information private. GDPR primarily addresses the transfer of EU based personal data outside the EU or EEA. This means that any EU based information and their security and audit would fall under the scope of GDPR.
The main objective of the GDPR is to give back EU citizens the control of their personal data and add a degree of accountability for organizations while handling EU citizens’ data. Government, organizations, businesses, institutions store information to provide services. GDPR aims to simplify the regulatory process for data storage and protection, ensuring citizens’ privacy in safe hands.
Information security and Protection Directive
GDPR supplants the older Data Protection Directive (DPD) for information security and its audit. The Data Protection Directive was a EU based directive adopted in 1995 that overlook personal data processing across EU. A directive allows countries to freely adopt different data breach based laws as per their interpretations. Conversely, regulations are rules that must be strictly followed word for word. Under DPD, various EU member states such as Germany, Spain, France, etc. were free to adopt their own Data Protection laws. GDPR regulates the policies to add a degree of uniformity. And, all EU member states must follow this regulation.
DPD vs GDPR Regulation for information security audit
GDPR has made several improvements over the previous Data Protection Directive. Firstly, it has redefined the term ‘personal data’. Under DPD, personal data limits to names, photos, addresses and personal identification numbers. Now, personal data encompasses a lot of technology based information like a citizen’s web history, IP address and biometric data like fingerprints and retina scans. This is a necessary upgrade in definition by DPD, in consideration to technological advancements over the past two decades.
GDPR also has introduced much more enhanced individual rights. In comparison to older regulations there is an increase in privacy considerations. Requirements from organizations (data processors) to put specific and unambiguous explicit opt-in for any personal data processing on customers’ end have certainly added a degree of added transparency with regards to personal data collection and processing.
Right to delete account information
The GDPR provides a ‘right to be forgotten’. This means that EU residents can demand to transfer their data to another organization as well as its permanent deletion. If such a demand is made by any of the data subjects, the data processors will have to comply without any resistance. Under this right, data subjects can also halt the processing of their personal data to third parties. Organizations face a compulsion to delete any personal data that is not on use anymore.
Right to access
GDPR also introduces the ‘right to access’. Under this, data subjects will have the right to obtain information from data controllers about how the data would be used, where and when, free of charge. This massive upgrade over DPD allows an added level of citizen empowerment with regards to personal data.
Another key difference between GDPR and DPD is that data processors (organizations) are now heavily controlled with several restrictions and added guidelines. As opposed to DPD, where data processors were only persecuted when anything went wrong, GDPR takes a precautionary approach where data processors will have to follow the data controller’s (a National Competent Authority) contractual guidance at all times in order to process data. The GDPR describes a data controller as a “natural legal person, public authority, agency or other body, which determines the purposes and means of the processing of personal data.” GDPR has also introduced several guidelines for proper documentation of personal data.
Large organizations (typically with over 250 staff) have an obligation to preserve documentation detailing their data protection policies and keep records of their data processing activities. They also have an obligation to carry out periodic impact assessments in areas with high risks of data breach. In addition, there is a requirement for these large organization to assign the role of a Data Protection Officer, who would be accountable for “regular and systematic monitoring of data subjects on a large scale. The Data Protection Officer would assume the duty of being the focal point for any citizen related data processes.
Along with enhanced regulations, GDPR has also levied much heftier fines in case of breaches. Under DPD, data breaches punishment were different in (somewhat low) fines, different for each member state. The GDPR however has very clear-cut and strict penalties. Personal data breaches must be notified by the data controllers within 72 hours and failure to do so will result in an EUR 20 million fine or 4% of the organization’s global turnover.
Effects of General Data Protection Regulation
GDPR is going to affect businesses across EU. It goes without saying that the new regulations will bring about an enhanced user experience for consumers. Similarly, it is quite obvious that organizations will face a sundry amount of added costs and formalities in their operations in addition to the need to hire or train a Data Protection Officer. One of the unexpected impacts is on Blockchain technology based projects.
A Blockchain system is a public recordkeeping system adopting decentralization and high encryption. As a result, it allows enhanced security. This streamlines process is proving to be cost-effective and efficient for office applications. Due to decentralization, blockchain projects require data sharing in all of its systems. This could prove to be a massive roadblock in terms of GDPR compliance. Increase in service time is an undesirable impact on businesses from new regulations. This follows to poor customer service. Popular services like Facebook, ZoomInfo and YouTube are the ones to face it first.
Context of Nepal
Although the GDPR is an EU based regulation, it impacts businesses in Nepal as well. Any business that deals with EU related data would fall under the GDPR scope. This means multinational institutions based in Nepal would most definitely fall under the scope.
Additionally, businesses like hotels, trekking and travel agencies as well as courier services that most likely process EU data would be on impact. In Nepal, the General Data Protection Regulation would most likely align with the national data protection laws. If perfectly aligned, data processes complying with the local laws would be adhering to GDPR standards as well. The way Nepal plans to adopt GDPR on its law is quite interesting.
Thus, one can see General Data Protection Regulation poses both benefits and threats to stakeholders. For EU citizens, GDPR ensures an unparalleled level of safety and privacy of their personal data. Organizations on the other hand face added complexities and costs due to a requirement to revise their processes to incorporate GDPR’s provisions.
The use of GDPR compliance is not only limited to EU citizens. It introduces extra level of ethicality and optimality to organizational processes. Furthermore, provisions might be introduced globally as user privacy concerns have grown with technological advancements. Hence, it is important for all stakeholders relating to data privacy to familiarize themselves with aspects surrounding GDPR compliance.