At the core, GDPR is a new set of rules designed to give EU citizens more control over their personal data
There’s been a lot of chatter about GDPR, a new law that is being implemented by the European Union around privacy of data. GDPR is what led to a great number of emails flooding your and my email inboxes about updated privacy policies. As one email I received said, “We aim to be fair, open and honest about who we are and what we are going to do with the personal data we collect.” Let’s face it. We never believed such declarations anyway. The existence of Cambridge Analytica is proof that data privacy is a myth. Even so, the EU is, ostensibly, making a valiant attempt at privacy.
So what on earth is GDPR and why are all these newsletters flipping out about it? That’s what we will find out on today’s deep dive. My name is Rakesh, and you’re listening to Moneycontrol.
The European Union has implemented a new law with the intent of protecting data privacy. It's called the General Data Protection Regulation, now famous as GDPR. This Friday, it comes into effect in 28 EU countries.
related news
Back in 2012, the European Commission charted out plans for data protection reform across the Union in order to make Europe 'fit for the digital age'. One of the major components of the reforms is the introduction of the General Data Protection Regulation. In April 2016, agreement was reached on what that involved and GDPR was adopted by the EU as a law. This new law applies to organisations in all member-states and has implications for businesses and individuals across Europe, and beyond.
GDPR changes the rules for companies that collect, store or process large amounts of information on residents of the EU. It demands more openness about what data these companies possess and whom they share it with.
Hello Facebook. I think they mean you.
The GDPR came up several times during Facebook CEO Mark Zuckerberg's testimony before the US Congress this April – the one that went viral on WhatsApp and other social media - and it was a major focus this week when members of the European Parliament questioned Zuckerberg in Brussels. EU officials said they weren't satisfied with the Facebook CEO's answers to questions about the GDPR.
"I think the GDPR in general is going to be a very positive step for the internet," Zuckerberg told American lawmakers, discussing Facebook's plans to tighten data policies, protect users from further leaks and become more transparent about who's advertising on the site.
Any company with a digital presence in the EU will have to comply with the law or face steep penalties. EU here still includes the UK because the Brexit drama hasn’t played out in full yet. It’s not just Facebook or other big names that will be affected. Health care providers, insurers, banks and any other company dealing in sensitive personal data will also be on the hook. That explains the flood of updated privacy policies in your email inbox. A company being based in the US or anywhere else won’t save it from the hefty penalties that the EU has promised to impose if EU citizen data is toyed with.
As CNET noted, “GDPR will have a significant impact on our online footprints and how the apps and services we use protect or exploit them.”
At the core, GDPR is a new set of rules designed to give EU citizens more control over their personal data. It requires all firms dealing with personal data to be open and transparent about what they will do with it, and to take the user’s permission before they share it.
The law also requires firms to seek user consent through an explicit opt-in, or a signature on a consent form. Meaning you can now say goodbye to check-boxes that are ticked by default. Not just that, once the data is shared, consumers also have the right to object to specific uses of their personal data and can demand a playback or deletion of their past records at any time. Firms that lose data to a hacking or data breaches can no longer hide it. They are required need to notify customers within 72 hours of the breach.
This will be a big change from existing business practices regarding data management, and the general conduct of companies with regard to user data. For example, during the Equifax data breach in 2017 that exposed the personal information of nearly 148 million people in the US and beyond, the company spent weeks stopping the attack and then planning how to deal with the damage before informing the public.
Data breaches are inevitable from time-to-time, as the history of the internet demonstrates. Information is lost, stolen or otherwise released into the hands of people who are never intended to see it. Some of these people can have malicious intent. And that is where data security comes in. Under the terms of GDPR, organisations have to ensure that personal data is protected from misuse and exploitation - or face penalties for not doing so.
If someone in the EU wants a company to delete his or her data, send copies of the data, or correct an error in the data, companies have to comply. GDPR goes even further. EU residents can now object to specific ways companies are using their data, saying that they don't mind if a company keeps the data as long as it stops using the info for a particular purpose.
Okay, so breaking down who is covered under GDPR, and how much misdemeanors can cost a company playing truant with EU citizen data - There are three aspects that make GDPR provisions far more stringent, if not all-encompassing, than any other existing data privacy law. One, it applies not just to companies based in the EU, but to all businesses that sell goods or even services, or even ‘monitor the behaviour of’ EU residents. That’s a pretty wide net. Two, GDPR affects not just the organisations collecting or mining the data but also all of those that ‘process’ the data on their behalf. Third, playing hookey with GDPR can hurt companies a fair bit - the new law levies a fine of €20 million or 4 percent of the errant company’s global sales, whichever is higher, for serious violations.
Within just days of its implementation, GDPR had already made its presence felt. It has led to the shutdown of a couple of US news websites and prompted billion-dollar lawsuits against Google and Facebook by an Austrian privacy activist. Talk about impact.
Businesses in India, too, will come under GDPR, if they have are looking at operating in Europe, that is. Several businesses operating out of India now have the ability to target customers globally. If an entity, while offering its goods or services, targets customers in the EU, and collects & processes personal data of such persons, then that entity has to comply with the rules and processes set out in GDPR. The impact of GDPR on Indian individuals is an outcome of the approach adopted by businesses around the world. In their efforts to update privacy policies in compliance with the sweeping changes wrought by GDPR, businesses around the world, including India, have decided not to limit these changes to their users located in EU alone.
Most, if not all, businesses are making these safeguards available globally, rather than adopting country-specific policies. This has resulted in Indian nationals enjoying safeguards and control of their personal data that were not previously available to them under Indian data privacy laws. India has, at best, sketchy privacy laws contained in the archaic Information Technology Act 2000, and an expert committee is working on a new set of laws. It’s anybody’s guess how safe user data is in India.
One important point to note is that GDPR privileges in India are only available to Indian nationals under contract. Indian citizens will not be able to seek protection under GDPR. The Economic Times notes that any claim of data breach will necessarily be under contract and, to the extent available, under Indian data privacy laws. The manner in which businesses around the world and in India have chosen to comply with GDPR has resulted in an unexpected benefit for Indian nationals.
There are two different types of data-handlers the new legislation applies to: 'processors' and 'controllers'. A controller is "person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data", while the processor is defined as a "person, public authority, agency or other body which processes personal data on behalf of the controller".
The UK's Information Commissioners Office, which is the authority responsible for registering data controllers, taking action on data protection and handling concerns and mishandling data, says "You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR."
What this means is, GDPR ultimately places legal obligations on a processor to maintain records of personal data and how that is processed. This provides a much higher level of legal liability if the organisation’s data security measures are breached. Controllers will be forced to ensure that all contracts with processors are in compliance with GDPR.
Let’s look at what this data is, that the GDPR makes nearly sacrosanct. The types of data considered personal under the existing legislation include name, address, and photos. GDPR has expanded the definition of personal data so that something like an IP address can be considered personal data. It also protects information that can show a person's activity both online and in the real world.
Besides, IP addresses, that includes location information, cookies and other data that lets companies track users as they browse the internet. It includes sensitive personal data - genetic data, biometrics which could be processed to uniquely identify an individual etc, racial or ethnic data, sexual orientation, political opinions etc. Yes, we live in times when expressing controversial political opinions online can even get you arrested.
What does GDPR mean for businesses? It establishes one law across the European continent and a single set of rules which apply to companies doing business within EU member states. The European Commission claims that by having a single supervisor authority for the entire EU, it will make it simpler and cheaper for businesses to operate within the region. The Commission claims that GDPR will save €2.3 billion per year across Europe. "By unifying Europe's rules on data protection, lawmakers are creating a business opportunity and encouraging innovation," the Commission says.
They say regulation will guarantee that data protection safeguards are built into products and services from the earliest stage of development, providing 'data protection by design' in new products and technologies. Businesses will be encouraged to adopt techniques like 'pseudonymization' in order to benefit from the collection and analysis of personal data, while the privacy of their customers is kept safe at the same time.
For individuals, it’s a mixed bag. The number of data breaches and hacks over the years means that, for many of us, data — whether it is an email address, a password, social security number, health records, dating preferences — has been exposed on the internet.
One of the primary changes GDPR will ring in, is providing consumers with a right to know when their data has been hacked. Organisations will be required to notify the appropriate national bodies as soon as possible in order to ensure EU citizens can take appropriate measures to prevent their data from being abused.
Consumers are also assured of easier access to their personal data, in terms of how it is processed. Businesses have been instructed that they need to detail how they use customer information in a clear and understandable way.
One of the most interesting aspects of GDPR is the Right To Be Forgotten. Also known as the right to data deletion, once the original purpose or use of the customer data has been realized, customers have the right to request that companies totally erase their personal data.
What happens if there is a breach of data anyway?
Once GDPR comes into force this Friday, it will introduce a duty for all organisations to report certain types of data breaches which involve unauthorised access to or loss of personal data to the relevant supervisory authority. In some cases, organisations must also inform individuals affected by the breach. They are obliged to report breaches that are likely to result in a risk to the “rights and freedoms of individuals and lead to discrimination, damage to reputation, financial loss, loss of confidentiality, or any other economic or social disadvantage”.
What that officialese means is, should the name, address, data of birth, health records, bank details, or any private or personal data about customers be breached, the organisation that has been breached is obliged to inform those affected, as well as the relevant regulatory body, so that everything possible can be done to contain the damage. And this is where GDPR puts the onus on businesses. The communication about a breach will need to be done via a breach notification, which must be delivered directly to the victims. This information may not be communicated only in a press release, on social media, or on a company’s website. It must be a one-to-one correspondence with those affected.
It is also made mandatory for the affected business to describe the possible consequences of the data loss – for example, theft of money, or identity fraud – as well as a description of the measures which are being taken to deal with the crime, and any counter measure to deal with negative impacts which might be faced by the victims of the breach. The contact details of the data protection officer, or main point of contact dealing with the breach, will also need to be provided.
There was some immediate fallout of GDPR for European internet users. Those that visited American news websites like The LA Times, The Chicago Times and The Baltimore Sun on May 25th found that they weren't able to access the websites, with the publishers pointing to GDPR as the reason.
The LA Times had a statement for European users that said, "Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and are commited to looking at options that support our full range of digital offerings in the EU market.”
This leads directly to the question, what were these newspapers and news outlets even doing with user data that they didn’t want to risk GDPR penalties? And what consent did they have?
Many large online services and social-media companies are updating privacy policies and terms of service to prepare for the long arm of the new law. Facebook's response will be probably the most scrutinized by European regulators, given the Cambridge Analytica scandal as well as multiple previous concerns about the company's approach to data collection. Austrian privacy advocates filed complaints on Friday, the first day the GDPR went into effect, against Google and Facebook, as well as Instagram and WhatsApp. The hilarious turnaround of Facebook being watched all the time for what it does. Fun times we live in, no?
GDPR is a major reform in online privacy laws designed to reflect the world we're living in today. It brings laws and obligations across a vast swathe of Europe that are in tune with the hyper-connected age we live in. So what’s the big deal about GDPR?
Fundamentally, almost every aspect of our lives revolves around data. Social media, banks, shopping, even governments -- almost every service we use involves the collection and analysis of your and my personal data. Names, addresses, credit card information and more - all of these are collected, analysed and, perhaps most importantly, stored by organisations.
Ultimately, GDPR is an aggressive move by authorities in the face of data abuse, and it puts all the power in the hands of the citizen when it comes to their data. Expets recommend that we view it as a positive force that safeguards consumer data rights in an increasingly accessible but volatile world. And, just as it protects the consumer, it also protects organisations from overstepping their boundaries. Hear that Facebook? Boundaries.