General Data Protection Regulation (GDPR) was a Law/Regulation put forward and approved by the European Council (EU Parliament) on 14th April 2016 and came into Enforcement on 25th May 2018.
GDPR was designed to harmonize the data privacy laws across the Europe, to protect and empower the EU citizens data privacy and to reshape the way Organizations across region approach Data Privacy.
GDPR replaces the Data Protection Directive 95/46/EC. Although the key principles of data privacy still hold true to the previous directive, many changes have been proposed to the regulatory policies.
1) Increased Territorial Scope
The Biggest and the most important change with the GDPR is that
“ The Rule applies not only to the European Companies/Organisation, But to all the Companies/Organisations processing the Personal Information of the European Citizen, regardless of the Company/Organization’s Location ”
GDPR made it very clear that, It applies to the processing of Personal Data (of EU Citizens) by Controllers and Processors, whether the processing takes place in EU or not.
The Personal Data includes Activities such as
- Offering Goods or Service to the EU citizens (Irrespective of whether Payment is
- Monitoring of Behaviour that takes place within Eu.
- Collecting MetaData of the EU Citizen while using our Apps.
The Non European business processing the Data of European Citizens must have to appoint a Representative in EU.
Under GDPR, Company/Organization that violates GDPR can be fined up to 4% of Global Annual Turnover or €20 Million (whichever is greatest).
This is the maximum fine that can be imposed for the most serious Infringements like the below cases:
- Not having Sufficient Consent of the Customer to process his data.
- Violating the core of Privacy by Design concepts.
- Not having records in Order. (as per Article 28, can be fined up to 2%).
- Not notifying the Supervising Authority and the Users (EU citizens) of the Data Breach .
- Not conducting Impact Assessment of the Data Breach.
Clouds will not be exempted from GDPR enforcement.
- The Companies/Organizations can not use long illegible Terms and Conditions full of legalese.
- The request for Consent has to be intelligible and easy to understand. The purpose of
the Data processing has to be mentioned clearly in the Consent.
- The Consent must be distinguished from other matters and has to be in a plain language.
- It must also has to be easy for the Users to withdraw the Consent.
Data Subject (Users) rights
1) Breach Notification
- Under GDPR, Breach Notification is a mandatory where breach is likely to “result in a
risk for the right and freedom of Individuals/Users”.
- This has to be done before 72 hours of the first becoming aware of the breach.
2) Right to Access
- The Data Subjects / Users has the right to obtain from the data controller (Organization/Company), an confirmation as whether the data concerning them is being processed, When and for What Purpose.
- The Controller (Organization/Company) must have to provide a copy of their data to the
Data Subjects / Users in Electronic format, Free of Cost If demanded/requested.
3) Right to be Forgotten
- It is known as Data Erasure.
- The Data Subject / Users have the right to delete their personal data.
- Once the Data Erasure request has been received, the data can no longer be used for the original purpose of processing (Not too based on the received Consent).
- This also include the data being processed in third-party services too.
4) Data Portability
- The Data Subject / Users have the right to receive Personal Data concerning them, which they have provided in the Commonly Use and Machine readable Form.
- They also have rights to transfer that Data to another Controller.
5) Privacy by Design
- Privacy by Design has existed for years, but has became a part of Legal requirement with the GDPR.
- The Privacy by Design makes the data protection from the onset of designing of system, instead of having it as an addition.
“The controller shall..implement appropriate technical and organisational measures..in an effective way.. in order to meet the requirements of this Regulation and protect the rights of data subjects”
6) Data Protection Officers
Controllers are required to notify their data processing activities with local DPAs, which, for multinationals, can be a bureaucratic nightmare with most Member States having different notification requirements.
Under GDPR it will not be necessary to submit notifications / registrations to each local DPA of data processing activities, nor will it be a requirement to notify / obtain approval for transfers based on the Model Contract Clauses (MCCs), there will be internal record keeping requirements.
DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.
- Must be appointed on the basis of professional qualities and, in particular, expert
knowledge on data protection law and practices
- May be a staff member or an external service provider
- Contact details must be provided to the relevant DPA
- Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
- Must report directly to the highest level of management
- Must not carry out any other tasks that could results in a conflict of interest.