With the European Union’s (EU) General Data Protection Regulation or GDPR coming into effect on Friday, 25 May, organisations across the world are set to feel the impact. The regulation is stringent, and companies are required to put all systems in place to keep their businesses afloat. Any non-compliance will cost them dearly.
So, where does a consumer stand in the new scheme of things? Before we get there, let’s first know what this new data law is all about.
What is GDPR?
The General Data Protection Regulation has been in existence in Europe since 2016. Defining personal data as “all information which is related to an identified or identifiable natural person”, the regulation was framed to ensure data protection and privacy for all EU residents. The rule, however, applies to other countries too that are dealing with the people of EU.
The law replaces the 1995 Data Protection Directive that had set the minimum standards for processing data. GDPR aims to strengthen an individual’s rights in three primary areas: personal data, consent, and privacy. People in EU may now feel more empowered when it comes to asserting rights to their personal data. Consent is key and all those ‘I Agree’ boxes, already ticked, on the bottom of the terms and regulations pages will be a thing of past. Consumers can ask companies holding their personal data to reveal or delete them. Regulators will also enjoy more power, as they won’t be confined to their respective jurisdiction and can work as a unit across the EU. The companies found violating the GDPR will face a higher fine — a maximum of €20m or 4% of the company’s global turnover, whichever is of greater value.
GDPR is designed to address the key security tenets of confidentiality, integrity and availability of data.
How will it affect companies?
GDPR is going to impact more or less every company. The ones processing large amounts of consumer data may specifically find themselves in a spot as the data industry stares at the ripples of the new law. Technology firms are likely to be hit big time, besides companies that depend on exploiting consumer data to run their business. Consent to share any personal data has to be explicitly sought from consumers. It should be “clearly distinguishable from other matters”, and not in fine print.
GDPR will directly impact the way IT security is implemented by companies.
Most of the big companies have updated their sites to comply with GDPR. Facing heat over a massive data scandal, Facebook told the EU Parliament leaders last week that it had launched a range of tools to “put people in more control over their privacy”. “In addition to GDPR, we’re also working to give people important new controls,” Zuckerberg said as he was grilled by the EU leaders. It has built an “access your information” tool that lets users find, download and delete specific data. Zuckerberg stressed that the social networking giant was trying to plug loopholes across its services, including curbing fake news and political interference on its platform in the wake of upcoming elections globally, including in India.
Apple has also revealed a privacy dashboard of its own. Google, on the other hand, updated its products and privacy policies without announcing the changes.
“GDPR is an important step forward for privacy rights in Europe and around the world, and we’ve been enthusiastic supporters of GDPR since it was first proposed in 2012,” Julie Brill, Corporate Vice President and Deputy General Counsel, Microsoft, wrote in a blog post this week.
What does it mean for consumers?
GDPR empowers people to control their personal information, and sets a strong standard for privacy and protection of data. People in EU can now hold companies to account in a much bigger way, and will have the power to dictate terms when it comes to sharing personal data. They can now withhold consent for use of their data for specific purposes, request access to information from data brokers, or delete their information altogether from sites. You can ask any company to hand over a copy of your personal information at any time, and the company will have to oblige within a month. You can also tell a company that a particular data concerning you is not correct and should be changed. Also, companies can use your data only for the purpose for which it was shared by you. It cannot pass on or sell your data to any other company or use it to offer you other services. The onus will also be on the company to ensure that the data it stores is not stolen. The companies are now mandated to inform the regulator of any data breach within 72 hours, and any failure to comply will invite penalty.
Even if you don’t exercise your right, the new law is designed to ensure data firms are more cautious while using your personal information. GDPR will force businesses to evolve new strategies to engage with people.
How effective will GDPR be?
Well, rules are meant to be broken. There are some grey areas in the new data rule too. For example, it’s not clear what will be done in the scenario of a company ‘forcing’ a consumer to share consent, say, by offering a take-it-or-leave-it deal. While the law does have a definition for what constitutes “personal data”, there is lack of clarity beyond phone numbers, photographs, credit card information and some other personal details.
The success of GDPR may also depend on how the regulations and their inherent clauses are interpreted by individuals and companies. Experts feel it’s a complicated process and involves in-depth understanding of privacy laws and policies.
What will be the impact of GDPR in India?
India is not on the list of countries approved for data portability and transfer. Hence, GDPR poses a challenge for Indian firms operating in the EU. According to an Ernst & Young survey, only 13 per cent of the Indian firms have a plan to comply with GDPR by May 25.
“It is imperative for Indian firms to plan and continue their journey towards compliance even after May 25, to ensure continuity of business within the EU and avoid hefty penalties because of non-compliance,” IANS quotes Jaspreet Singh, Partner-Cyber Security, EY, in a report.
“For Indian companies with operations in the EU, data security measures will now have to work alongside legal and compliance teams to ensure maximum adherence to GDPR,” says Ramesh Vantipalli, Director Systems Engineering, End User Computing, VMware India.
Indian companies operating in the EU will have to change the way they capture, process and use data of EU nationals,” says Prajit Nair, Director Sales-End User Computing, VMware India.
Microsoft India president Anant Maheshwari, meanwhile, said on Wednesday the company vowed to extend the core rights guaranteed under the new regulations to all of its customers worldwide. “This is a golden opportunity for India to drive thought leadership in the global market. We can build expertise and capabilities, create new lines of advisory and consulting businesses, develop a market differentiator and be a source of competitiveness,” Maheshwari said in a blogpost.