It is comprehensive privacy and data security legislation by the EU, to protect personal data of its people (residents and citizens, called as data subjects, in the Regulation) and to help them control how this data is collected, processed, shared and stored.
It mandates companies (called as data controllers and processors) to take “freely given, specific, informed and unambiguous” consent from the data subjects, regarding movement and use of this data. Thus, GDPR also regulates exportation of this data outside the EU.
Further, ‘record’ of consent is required to be maintained under the new regime.
Highlights of the GDPR
It creates European Data Protection Board (EDPB), along with member states,Data Protection Authorities (DPA), to regulate and implement GDPR and resolve disputes. It also requires firms to appoint Data Protection Officers (DPO) wherever applicable.
Data protection principles: Personal data should be processed as per following six principles:
Processed lawfully, fairly and transparently
Collected only for specific legitimate purposes
Adequate, relevant and limited to what is necessary
Must be accurate and kept up to date
Stored only as long as is necessary
Ensure appropriate security, integrity and confidentiality
Governance and accountability: It requires maintenance and enforcement of internal data protection policies and procedures, along with documentation of data breach and investigations. Data protection impact assessments (DPIAs)are a must for high-risk processing operations.
Data protection “by design” and “by default”: This means that the design of future business operations and management workflows relating to data should be GDPR-compliant; and default collection mode must be to gather only the personal data that is necessary for a specific purpose. Data storage must use highestpossible privacy settings by default and should use pseudonymisation or anonymization.
Right to erasure of personal data: GDPR requires organizations to completely erase data from all repositories when: (i) data subjects revoke their consent; (ii) partner organization requests data deletion, or (iii) service or agreement comes to an end. However, data can be retained for certain legal reasons as per few exceptions; it also provides for right to be forgotten, right to rectify data, right to data portability, etc.
Companies are required to report the data breach within 72 hours to the nominated national DPA. These breaches must be disclosed to the individuals as well.
Exemptions/ restrictions: Following cases are not covered by the regulation:
Lawful interception, national security, military, police, justice
Statistical and scientific analysis
Deceased persons, subject to national legislation
Employer-employee relationships (covered as per a separate law)
Processing of personal data by a natural person in the course of a purely personal or household activity
Conversely, an entity has to be engaged in “economic activity” (as per EU laws) to fall under GDPR.
Firms based outside the EU, that provide services or goods to the EU are also subject to the GDPR. These companies may need to appoint a representative in the EU.
It includes a separate Data Protection Directive for the police and criminal justice sector that provides rules on personal data exchanges at national, European, and international levels.
Failure to comply invites penalties as huge as €20m or up to 4% of global annual revenues.
It emphasizes on simplification of information and processes so that public can comprehend these and take actions with ease.
ePrivacy Regulation for online data activities, are yet to be finalised by the EU.
Implications for India and beyond
It impacts work practices of technology sector, online retailers, software companies, financial services, online services/SaaS, retail/consumer packaged goods, B2B marketing etc.
For Indian firms: Europe is a significant market for Indian IT/BPO/technology/pharma sectors and hence, GDPR compliance becomes priority for all Indian organisations having business there.
Challenges- According to an Ernst & Young study, only 13% of Indian companies are prepared for GDPR. These provisions would be a challenge for smaller firms and young start-ups demanding huge costs of compliance or otherwise loss of business.
Opportunity- At the same time, there is an opportunity for new consultancy and advisory firms to set up their operations and help other firms with GDPR compliance across the world. Also, compliance can be turned into a competitive advantage vis-à-vis other Asian firms.
India and the EU relations:
One of the routes to transfer personal data outside the EU is when the EU has designated a country as providing an adequate level of data protection. Given that the EU has not accorded ‘data secure country’ status to India, operations between Indian and Europeans firms may get difficult. This also has implications for India-EU BTIA (Broad-based Trade and Investment Agreement).
GDPR provides that a legal order/judgement by a third country asking action on part of data controller/processor may not be recognized in absence of an international agreement such as the Mutual Legal Assistance Treaty (MLAT). This is of concern since Germany refused to sign MLAT with India in 2015, citing its objections to India’s death penalty provisions.
Blockchain technologies: Decentralized nature of these technologies can help protect personal data better. Simultaneously, anonymity offered by crypto-currencies based on these technologies may contradict the compliance norms under the GDPR.
For consumers world over: They will demand better laws to protect their data via campaigns against bad practices of other governments and companies that harvest on personal data without consent, thus violating Right to privacy.