GDPR: What, Why, and How

Today, the European Union is going to start enforcing GDPR, and the entire world is freaking out over those four letters. You definitely would have heard about it in the news, but probably wouldn’t have paid attention because it sounds boring. But it’s really important and here’s a guide to explain it to you.

What is GDPR?

The General Data Protection Regulation is a legislation that was put into effect two years back, on May 24th, 2016. It is a set of rules and regulations that govern the way tech companies collect and handle people’s personal data. It applies to companies operating in the EU member states, as well as companies whose customers live in the EU member states. So in summary, the regulation affects giants such as Facebook and Google.

What are the regulations?

The entire point of GDPR is to give people more control over their personal data. GDPR defines personal data as all data that can be related to an identifiable person. So if a company wants to process personal data, it has to do a few preliminary steps:

• All the risks and impacts of processing the data must be assessed.
• A Data Protection Officer must be appointed to oversee the process.

The key principle behind GDPR is consent. So once the company is ready to start collecting data, it has to make sure the person has clearly consented to have his data processed. The following guidelines are given to companies regarding user consent:

• You must be informed clearly regarding the ways in which your personal data will and will not be used, the people who will have access to it during processing, and the rights and controls you holds over your data.
• Personal data must not be processed unless voluntarily consented by you. That is, you must be given a real choice, and must not be pressured into giving consent. Also, you can withdraw your consent whenever they choose to.
• Request for consent must be clearly communicated in the contract, with the specific purposes for specific data. The contract must not include consent request for data that is unrelated to the purpose. For instance, we have all seen mobile apps that ask unnecessary permissions (e.g. calculator requesting camera access). Once GDPR is enforced, only the required permissions can be requested, and having these tricky fine prints would be considered illegal.
• Companies must not use your contact details for telemarketing unless you explicitly express consent. If you want telemarketing calls or e-mails to stop, it can be done with a simple objection.

After the data has been collected, rules have been laid out for processing them too:

• Sites are advised to encrypt IP addresses and cookies the same way they encrypt credit card details. Complying with this may reduce or even prevent fines in case of a data breach.
• If the purpose of the data is fulfilled, or if the user has withdrawn consent, then the data must be erased along with all existing copies of it.
• Transfer of personal data to a company outside the jurisdiction of the EU must be done only after the transmitting party ensures that the receiving party will protect the data.
• Written documentation and overview containing significant information about data processing (purpose, people impacted, data receivers etc.) must be maintained.

Besides these rules, GDPR also gives you control over your data. If you request, the company must send you details about the data it has collected on you. You also hold the rights to ask the company to delete the data it has collected on you.

Failure to comply with these regulations can result in fines up to 20 million Euros (Approximately INR 160 Crores) or 4% of the company’s total global turnover in the previous fiscal year, whichever is higher.

You can read the complete legal documentation of GDPR here.

How does it impact us, Indians?

For starters, most tech companies have customers in Europe so they will have to update their privacy policy for the rest of the world too. Just go check your inbox to see all those e-mails asking you to accept the new GDPR-compliant privacy policy.

With Facebook’s recent Cambridge Analytica scandal, where it had been revealed that 5 lakh India users’ data has been leaked, it is actually a relief that we are getting this protection. Besides, the Government of India still doesn’t have any strict laws governing the Internet, so GDPR will definitely be the template over which our own laws are built upon.

How strictly will GDPR be enforced?

This is a question with no answer. Behind all its glamour, GDPR is still just a law with many, many loopholes. Most of the rules use phrases like “within a reasonable period” or “provide sufficient information”. There are no strict definitions of how long a reasonable period is, or how much sufficient information is, and are left to the interpretation.

A few online sources also voice concern that no one is prepared for enforcing GDPR – not the companies, not even the regulators. This is a disturbing concern, as two years had been allotted for companies to prepare.

Therefore, it will be some time before any actual change in the M.O. of Big Data companies is seen, but one can only hope that the much-needed change comes soon.