The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA).
It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
GDPR will replace the 1995 Data Protection Directive and is aimed at protecting the personal data of EU citizens in the new digital world.
The rules will also apply to companies whose activities target data subjects in the EU. The definition of personal data now explicitly includes location data, IP addresses, and identifiers such as genetic, mental, economic, cultural or social identity of a natural person. Individuals will have stronger rights over their personal data. The new rights include the right to be forgotten, the right to data portability, the right to object to profiling. Consumer consent to process data must be freely given.
Superseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements pertaining to the processing of personally identifiable information of individuals (formally called data subjects in the GDPR) inside the European Union, and applies to all enterprises, regardless of location, that are doing business with the European Economic Area.
Business processes that handle personal data must be built with data protection by design and by default, meaning that personal data must be stored using pseudonymisation or full anonymisation, and use the highest-possible privacy settings by default, so that the data is not available publicly without explicit, informed consent, and cannot be used to identify a subject without additional information stored separately.
No personal data may be processed unless it is done under a lawful basis specified by the regulation, or if the data controller or processor has received an unambiguous and individualized affirmation of consent from the data subject. The data subject has the right to revoke this consent at any time.
A processor of personal data must clearly disclose any data collection, declare the lawful basis and purpose for data processing, how long data is being retained, and if it is being shared with any third-parties or outside of the EU.
Data subjects have the right to request a portable copy of the data collected by a processor in a common format, and the right to have their data erased under certain circumstances.
Public authorities, and businesses whose core activities centre around regular or systematic processing of personal data, are required to employ a data protection officer (DPO), who is responsible for managing compliance with the GDPR. Businesses must report any data breaches within 72 hours if they have an adverse effect on user privacy.
It was adopted on 14 April 2016, and became enforceable beginning 25 May 2018; because the GDPR is a regulation, not a directive, it does not require national governments to pass any enabling legislation and is directly binding and applicable.
With the United Kingdom scheduled to leave the European Union in 2019, the UK granted royal assent to the Data Protection Act 2018 on 23 May 2018, which contains equivalent regulations and protections.
Flouting the rules can attract a maximum fine equivalent to 4% of an organization’s global annual revenue or €20 million, whichever is higher.
The GDPR refers to pseudonymisation as a process that is required when data is stored (as an alternative to the other option of complete data anonymisation) to transform personal data in such a way that the resulting data cannot be attributed to a specific data subject without the use of additional information. An example is encryption, which renders the original data unintelligible and the process cannot be reversed without access to the correct decryption key. The GDPR requires for the additional information (such as the decryption key) to be kept separately from the pseudonymised data.
The EU Digital Single Market strategy relates to “digital economy” activities related to businesses and people in the EU. As part of the strategy, the GDPR and the NIS Directive all apply from 25 May 2018. The proposed ePrivacy Regulation was also planned to be applicable from 25 May 2018, but will be delayed for several months. The eIDAS Regulation is also part of the strategy.
Right now, starting May 25 the GDPR applies only to the European Union. Indian users will not come under this as for now. Also, for many global tech giants like Facebook, Microsoft, Apple etc this is a massive Public Relations opportunity. Most of these companies in terms of usage and privacy policies are global. That’s one of the reasons why you must be seeing so may updates and permissions pop up every week when you open your Facebook App or even WhatsApp. They have included compliances that are mentioned in the GDPR but with a clause that it may differ from other jurisdictions, like in India, GDPR will hold very less significance as compared to what it holds in the European Union.