EU's GDPR comes in force tomorrow: All you need to know
Here's a quick read on the basics of European Union's General Data Protection Regulation (GDPR).
With growing global consciousness about privacy and data protection, today, 25th May 2018 marks a landmark date when the European Union’s General Data Protection Regulation (GDPR) comes into effect. At this hour, when several business houses with an EU interface are scurrying with their last-minute preparations to be GDPR compliant, many are still oblivious to this alien regulation. Therefore, this may be the best time to do a quick read on the basics of GDPR. This is not only because it is the beginning of a historic privacy movement for EU data subjects, but also because India’s own data protection and privacy legislation which is in the making, may borrow several concepts from the GDPR.
We got in touch with Supratim Chakraborty, Associate Partner, and Harsh Walia, Associate Partner, Khaitan & Co to know more about GDPR, the needs and effects on us as common netizens. Below are their insights with respect to the upcoming EU data laws.
What is GDPR?
GDPR seeks to harmonize the scattered data protection laws in the EU and envisages stringent penalties under it. It replaces the existing EC Data Protection Directive (95/46/EC). GDPR seeks to enhance the data privacy rights of users and imposes certain new responsibilities upon data controllers and processors.
Why was it required?
GDPR endeavours to create a model for a data protection and privacy framework that will be able to keep pace with rapid advancements in technology. Most importantly, GDPR attempts to give back to individuals control over their personal data, while recognising the protection of one’s personal data as a fundamental right.
Who will be affected?
GDPR is anticipated to have a substantial impact on businesses having an EU interface. It will apply to all businesses which have any establishment within the EU. Further, all businesses irrespective of physical presence in the EU, that offer “goods or services” (regardless of whether they charge for it or not), or monitor the behaviour and activities of individuals in the EU, will be impacted by the incidence of the GDPR. Indian companies, that process personal data of EU data subjects, such as business processing units or outsourcing companies, may be most impacted by the GDPR.
How does it concern you?
Data subjects in the EU will benefit as the GDPR provides extensive rights and protection to individuals in relation to their personal data. Privacy of an individual is paramount and GDPR requires businesses to take clear, unambiguous and explicit consent before processing personal data. GDPR also requires businesses to allow users to seek restriction on processing of their personal data, seek copies of their personal data, rectify it and withdraw their consent previously given for the processing. GDPR gives users the “right of erasure”, meaning that they can seek deletion of their personal data so that it is no longer accessible by third parties, subject to certain exceptions. It also permits individuals to seek portability of their personal data from one entity to another.
One of the basic principles of GDPR is “data protection by design and data protection by default”. In other words, businesses have to inculcate privacy principles in their processes, systems and operations, as opposed to adopting them as a corrective measure. These, coupled with the principles of data minimisation and storage limitation, seek to put the onus on businesses not just to handle personal data carefully but to minimise its collection and retention. Any breach of personal data is required to be reported by businesses to the relevant authority in the EU as well as to affected users within stipulated timelines.
What next?
The due date of May 25 is here, and businesses are in a state of frenzy, trying to bring their privacy policies, data architecture, etc., in line with the GDPR. However, it should also be kept in mind that this is not a deadline-based job which gets over now. It is the beginning of a journey. The concepts envisaged under GDPR would be ever evolving and would require dynamic compliance work over time. Compliance with GDPR will certainly be a game-changer for business entities in India as it will have additional two-fold benefits – increased customer confidence as compared to other Indian businesses which do not have robust privacy standards and significant compliance-readiness for the upcoming Indian data protection and privacy legislation which is proposed to have several principles of GDPR engrained in it.