The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.
The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.
- Requiring the consent of subjects for data processing
- Anonymizing collected data to protect privacy
- Providing data breach notifications
- Safely handling the transfer of data across borders
- Requiring certain companies to appoint a data protection officer to oversee GDPR compliance
- The law is a replacement for the 1995 Data Protection Directive, which has until now set the minimum standards for processing data in the EU.
- GDPR will significantly strengthen a number of rights: individuals will find themselves with more power to demand companies reveal or delete the personal data they hold;
- The definition of personal data now explicitly includes location data, IP addresses, and identifiers such as genetic, mental, economic, cultural or social identity of a natural person.
- Individuals will have stronger rights over their personal data. The new rights include the right to be forgotten, the right to data portability, the right to object to profiling. Consumer consent to process data must be freely given.
- Regulators will be able to work in concert across the EU for the first time, rather than having to launch separate actions in each jurisdiction. The penalties run into hefty fines — highest being 20 million euros or 4% of annual turnover — whichever is greater.
- The “right to be forgotten,” also known as the right to erasure, the GDPR gives individuals the right to ask organizations to delete their personal data. But organizations don’t always have to do it.
GDPR applies to any organisation operating within the EU, as well as any organisations outside of the EU which offer goods or services to customers or businesses in the EU. That ultimately means that almost every major corporation in the world needs a GDPR compliance strategy.
- GDPR affects every company, but the hardest hit will be those that hold and process large amounts of consumer data: technology firms, marketers, and the data brokers who connect them.
- Even complying with the basic requirements for data access and deletion presents a large burden for some companies, which may not previously have had tools for collating all the data they hold on an individual.
- But the largest impact will be on firms whose business models rely on acquiring and exploiting consumer data at scale.
If you process data, you have to do so according to seven protection and accountability principles
- Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
- Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
- Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
- Accuracy — You must keep personal data accurate and up to date.
- Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
- Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
- Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.
Simply put, the GDPR mandates a baseline set of standards for companies that handle EU citizens’ data to better safeguard the processing and movement of citizens’ personal data.
- General Data Protection Regulation – Wikipedia
- Will a GDPR-Style Data Protection Law Work For India? – Carnegie India – Carnegie Endowment for International Peace
- What is GDPR? The summary guide to GDPR compliance in the UK | WIRED UK
- General Data Protection Regulation (GDPR) Definition
- What is GDPR? Everything you need to know about the new general data protection regulations | ZDNet
- General Data Protection Regulation (GDPR) Compliance Guidelines
- Everything you need to know about the “Right to be forgotten” – GDPR.eu
- What is GDPR, the EU’s new data protection law? – GDPR.eu
- Everything you need to know about GDPR compliance – GDPR.eu
- What is the General Data Protection Regulation? Understanding & Complying with GDPR Requirements in 2019 | Digital Guardian
- How India Plans to Protect Consumer Data
- India need not adopt the onerous European General Data Protection Regulation