The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union(EU). It is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. And non-compliance could cost companies dearly. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.The regulation was adopted on 27 April 2016. It becomes enforceable from 25 May 2018 after a two-year transition period and, unlike a directive, it does not require national governments to pass any enabling legislation, and is thus directly binding and applicable.
The Regulation will come into effect on the 25th May 2018 and will bring in significant changes to current data protection laws, as we know them. Any company deemed non-compliant will face hefty fines.
Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. Specific criteria for companies required to comply are:
- A presence in a EU country.
- No presence in the EU, but it processes personal data of European residents.
- More than 250 employees.
- Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data. That effectively means almost all companies. A PwC surveyshowed that 92 percent of U.S. companies consider GDPR a top data protection priority.
If an organization handles personal data, the Information Commissioner’s Office (ICO) states:
- They are expected to put into place comprehensive but proportionate governance measures. Good practice tools that the ICO has championed for a long time such as privacy impact assessments and privacy by design are now legally required in certain circumstances.
- “Ultimately, these measures should minimize the risk of breaches and uphold the protection of personal data. Practically, this is likely to mean more policies and procedures for organizations, although many organizations will already have good governance measures in place.”
The new players in the European market would be: –
- TPP– Third Party Payment Service providers
- ASPSP– Account Servicing Payment Service Providers
- AISP– Account Information Service Providers
- PISP– Payment Initiation Service Providers
The fundamental rights of individuals under GDPR are:
- The right to be informed – Organizations must be completely transparent in how they are using personal data.
- The right of access – Individuals will have the right to know exactly what information is held about them and how it is processed.
- The right of rectification – Individuals will be entitled to have personal data rectified if it is inaccurate or incomplete.
- The right to erasure – Also known as ‘the right to be forgotten’, this refers to an individual’s right to having their personal data deleted or removed without the need for a specific reason as to why they wish to discontinue.
- The right to restrict processing – Refers to an individual’s right to block or supress processing of their personal data.
- The right to data portability – This allows individuals to retain and reuse their personal data for their own purpose.
- The right to object – In certain circumstances, individuals are entitled to object to their personal data being used. This includes, if a company uses personal data for the purpose of direct marketing, scientific and historical research, or for the performance of a task in the public interest.
- Rights of automated decision making and profiling – The GDPR has put in place safeguards to protect individuals against the risk that a potentially damaging decision is made without human intervention. For example, individuals can choose not to be the subject of a decision where the consequence has a legal bearing on them, or is based on automated processing.
· Many new requirements – By imposing responsibilities and requiring demonstration of compliance therewith at all times. For instance, to encourage transparency, various obligations will regulate information, access and communication with the data subject. New and improved rights for the data subject, such as the right to data portability and the right to be forgotten, will impact companies because such rights will need to be accommodated in their internal processes
· Very process-driven – The GDPR sets out specific processes for companies to adopt. It intends to help company’s structure and formalize certain subject areas like risk assessment and decision making. By putting these structured processes in place, companies can work more efficiently and achieve compliance with the privacy rules.
· Very tangible and visible – It’s not only a question of complying with general principles, such as data minimization or accuracy; the GDPR also imposes very concrete measures. For instance, the GDPR imposes an obligation on companies to keep internal records of their data protection activities.
· Increased fines and sanctions – The GDPR could have a huge impact for companies failing to comply. The supervisory authorities can take one or more measures listed in the GDPR, such as (i) issue a warning or impose a temporary or definitive ban on processing personal data, or (ii) impose a fine up to EUR 20,000,000 or 4% of the total worldwide turnover, depending on the circumstances of each individual case, or both.
· A moving target – Some requirements of the GDPR may remain difficult to implement for some time, as additional guidance on the GDPR is still forthcoming. However, it is imperative that companies take a proactive approach and avoid leaving it too late.
· Need for a company-wide project – Because of the above implications, companies should adopt a project-based approach to implementation across the company. Fact-finding, objective gap analysis, realistic milestones, clearly defined roles, tasks and responsibilities will help you break down such an implementation into easily manageable units.
• Any information relating to an individual, whether it relates to his or her private, professional or public life.It can be anything from a name, a photo, an email address, bank details, your posts on social networking websites, your medical information, or your computer’s IP address.”
• Under GDPR another term is used as ‘sensitive personal data, which “uniquely identify a person” are classed in the GDPR. For example, genetic and biometric information. Personal data relating to criminal convictions is not classed as sensitive data, but the GDPR does introduce extra safeguards in relation to processing it.
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million.
This is the maximum fine that can be imposed for the most serious infringements e.g. insufficient customer consent to process data or contravening the core of Privacy by Design concepts.
There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order, not informing the supervising authority and data subject (individual) about a breach or not conducting an impact assessment.
Privacy by design is an approach to projects that promotes privacy and data protection compliance from the start. Unfortunately, these issues are often bolted on as an after-thought or ignored altogether.The ICO encourages organizations to ensure that privacy and data protection is a key consideration in the early stages of any project, and then throughout its lifecycle.
Taking privacy by design approach is an essential tool in minimizing privacy risks and building trust. Designing projects, processes, products or systems with privacy in mind at the outset can lead to benefits, which include:
- Potential problems are identified at an early stage, when addressing them will often be simpler and less costly.
- Increased awareness of privacy and data protection across an organization.
- Organizations are more likely to meet their legal obligations and less likely to breach the Data Protection Act.
- Actions are less likely to be privacy intrusive and have a negative impact on individuals.