GDPR Demystified: What is GDPR and how does it affect you?
Definition of GDPR
GDPR stands for General Data Protection Regulation. It is a series of laws approved in 2016 but is in effect from 2018, May 25. It will affect any company that has its business or a part of it in Europe, or they cater to European citizens.
It is a regulation that requires businesses to protect the privacy and data of the citizens of the European Union, who transacted with them. It gives the citizens more control over the data they share during transactions and use of services. They can request access to it and even withdraw consent.
What is GDPR compliance?
The General Data Protection Regulation replaces the EU Data Protection Directive of 1995. The directive served as a set of guidelines for the countries in the EU, but GDPR is something which is mandatory. But what do the firms need to take care of to be GDPR compliant?
GDPR explained in simple words is it’s a collection of what comes in the range of ‘personal data’ and how should a company use it. It gives you, the user of the service, the right to know how an organisation uses the data you provide. Companies need to provide information on every data it intends to collect and then get your consent. They can’t use any data in a way you didn’t provide consent.
An organisation can only collect the data you agreed to, and they need to have a system where the individual knows what all s/he shares. If you aren’t comfortable with something, the company should allow you to withdraw your consent. And failing to comply with the regulation will result in fines.
A Data Protection Officer needs to keep everything in check. A DPO would be the one who the authorities or individuals will contact first when they need to. But what citizen’s rights do the companies need to take care of? Let’s find out!
Consumer rights in GDPR
GDPR, also popular as the Data Protection Act, 2018, gives certain rights and control to the public over the personal data stored and used by a company. And if the individual withdraws any consent given earlier, the company should delete all the data relevant to that person.
The companies, however, can store the data if they have valid reasons – like, legality or security – to do so. Here are the eight rights, citizens of EU enjoy –
i) Right to be Informed –
The individuals should know about the data collected and its intended use. And the companies should display this information without using technical terms, in layman’s language, to be precise. Along with that, they should also keep the users informed of the duration for which data will be there and third-party involvement if any.
ii) Right to Access –
The individuals have the right to request access to their data. The companies have to fulfil this request within a month. There can be exceptions depending on the data requested, but they need to provide a copy of the data within the stipulated time.
iii) Right to Rectification –
The individuals can approach the company if they find the held information inaccurate (or incomplete). They can request the company to update the data, and it has a month to make the requested changes and updates. There is provision for exceptions here also.
iiii) Right to be Forgotten –
Also called the Right to Erasure, it empowers individuals to request companies to remove their data. The reasons can be unlawful processing of data or if the user feels data is not necessary anymore. People can request erasure also when they withdraw the consent to collect their data.
v) Right to Restrict Processing –
Similar to the Right to Erasure, individuals can request the companies to limit the use of personal data they have. They can exercise this right, say, while the organisation is rectifying the data stored. This right also comes to use when the company needs to store the data which individuals want to be deleted.
vi) Right to Data Portability –
Under GDPR, the individuals have the right to reuse the data they provided to one of the companies. They can ask the company to transfer the personal data they provided, either through a contract or consent, to another company. And the company – the data controller – is obliged to do it, through automated means, without creating any hindrance.
vii) Right to Object –
The individuals – the data subjects – can also object to the processing of personal data, the data controllers have. The company then must stop the processing until they present some strong or legitimate reasons for doing so.
viii) Automated Decision making & Profiling Rights –
Apart from manual processing of data, GDPR also has provisions for data processing done by automated means. One such automated process is profiling individuals, and the individuals have the right to request a review of the rules being followed.
These rights are collectively called the GDPR Data Subjects Rights. And all the organisations who work in EU or serve citizens of the EU have to safeguard these rights to comply with GDPR.
So, how does GDPR affect my company?
Do you have a presence in an EU country? Do you store and process data of EU citizens? If you answered the questions in negative, you don’t need to bother about the effects of GDPR. Else, read on. Only those organisations which have something to do with the personal data of EU citizens need to comply with GDPR. And it doesn’t matter if they have a business in EU or not.
And any such company comes under the radar of GDPR, there are no exceptions. Whether you’re the data controller (who stores the data) or the data processor (who manages the data), both have equal liability. If your company is GDPR compliant, but your third-party data processor is not, you are not compliant to GDPR.
So, the ones who have their business playing with a lot of data – marketers and tech firms – need to know it all. GDPR can be a lot of burden if the organisations don’t have the tools to bring all the data of an individual at one place. They need to grant access on request and even delete that individual’s data entirely if requested.
And what kind of data falls under GDPR? Take a look at the infographic beside. GDPR has in its scope data related to basic identities like name and address and also web data like IP address. Then it also has genetic, health, biometric, ethnic, racial data and even an individual’s political opinion and sexual orientation.
The implementation of GDPR requires the organisations to introduce transparent privacy policies and integrate and secure their data. And the organisations also need to know that they will attract penalties for non-compliance even if no one complains of a breach. It’s GUILTY UNTIL PROVEN INNOCENT.
On the other hand, as an individual, you have powers as never before. An individual can control how the organisations collect their data and use it (or delete it). If individuals start exercising their right to restrict processing or the right to be forgotten, GDPR may end up being a disaster for the companies.
Whatever be the situation in the near future, this General Data Protection Regulation is an excellent measure towards keeping the issues of privacy under control.
Submitted by: Abhijeet Kumar
Popular as the Lazy Writer, I am a post graduate in Computer Applications. My love for computers and the passion for writing led me to intertwine both and now, I freelance as a technical content writer. Catch up with me on LinkedIn.