General Data Protection Regulation (GDPR)

Overview

The GDPR is a recently proposed law by the EU members. The need came about because the existing data protection laws did not adequately protect the consumers. GDPR stands for “General Data Protection Regulation”. This law defines how to process and collect consumers’ data, and the parties include government agencies, non-governmental agencies, online business properties by companies such as websites and website apps, games and payment processing services. The new law also affects manufacturing companies that have been known to collect user information when selling their goods and products. Although the stress will be on those companies and organisations that sell within the European Union. This law will affect companies and organisations in the UK as well despite the choice by the United Kingdom to leave the European Union.

Introduction

With this law in place, multinational companies, for instance, Microsoft are of the idea that the control of personal data will be returned to the individual and therefore safeguarding the individual privacy rights. The increase in cyber security attacks brought about the adoption of this law which limits the amount of data collected by the different kinds of agencies. The assumption being that if in an attack, user information is accessed; the compromised information will not be able to hurt the individual in any way.  

When will the GDPR be implemented? 

These rules and regulations have been in the making for almost five years but finally came to fruition on April 14^th, 2016. The implementation, however, will be rolled out on May 25^th of 2018 which is two years after the proposal of these rules and regulations.  

Principals of the GDPR

The General Data Protection Regulation (GDPR) Act has defined some of the following key principals within its regulation. That all personal data shall:

1. Be processed within the proposed law limitations
2. Be collected for the particular purposes that will be specified within the company’s Terms of Service and Privacy Policy and not for any other purpose(s) not specified or clearly stated in those legal documents.
3. Be collected accurately and should be correct. This information should be updated regularly.
4. Be collected in an adequate measure, and the amount of personal data collected should be enough for the business operations and not anymore.
5. Not be held for longer than necessary periods of time. By this, the Act specifies that the period should be long enough to enable the company to make adequate processing of the information.
6. Be processed in compliance with the legal rights of the individual as defined in the laws of the land.
7. Not be transferred to a third party outside the jurisdiction of the European Union.
8. The organisations processing this data shall ensure that they take the necessary measures to safeguard against the unlawful access to the information especially through cyber crimes and internal unauthorised access.

Key areas of consideration

The key elements of GDPR focus are:

Lawful processing of the data:

This point is defined as one of the “conditions of processing,” and involves the organisation collecting the data, identifying the appropriate legal basis for applying the data collected. It is important to determine the legal basis for the processing of the personal and sensitive data that the organisation intends to collect before actually collecting and processing it. These conditions are particularly important to or most applicable to public entities or authorities and highly regulated sectors.

Consent:

The General Data Protection Regulation refers to both the ‘consent’ and ‘explicit consent’ with no particular difference given to either and in both cases specifies that they have to be given without coercion nor undue influence. The consent has to be clear, specific without unambiguous intentions and the individual that is giving it should be well informed.

As per ICO’s website-based guidance on what is valid consent - The GDPR specifies the actions that constitute consent and these are clear affirmative action. If consent has been given, it must be verifiable, and this involves storing records for given consent and individuals reserve the right to withdraw given consent at any time.

Anyone who cannot meet these levels of consent must and should seek alternative means of gaining the consent that is within the legal channels specified within the region-specific laws or cease from processing the requested data altogether.

Data protection design

By default, data protection requires you to process the data that is necessary to achieve specific objectives. According to Tankard, 2016, Article 25 of the GDPR requires the mechanism and policies of data protection be an integral part of each project from the design stage. The principle of data protection is associated by the GDPR which enforces the protection of personal data. The article encourages data managers to integrate data protection mechanism during design to avoid reactive mechanisms when a data breach occurs. Data protection should be integrated into each step of the development cycle.

How does the GDPR affect business operations?

1. Mandatory data-breach notification – the new GDPR regulations requires company’s controller to notify the appropriate authorities of any data-breach incidence within 72 hours of the incidence occurrence. This feature might prove costly businesses in case they need to protect their public image.
2. A right to be forgotten – the GDPR have introduced a “right to be forgotten” customer right where a customer (in certain circumstances) can request a company to erase the stored personal data. This regulation might require companies to invent new strategies for maintaining data inventories and mechanisms of effecting such requests.
3. Mandatory data protection officers – The GDPR requires every large company to recruit Data Protection Officers (DPOs). Company attorneys initially handled the roles of DPOs but GDPR requires each company to have a DPOs officer. The new post creates a problem for the companies because there are few DPOs experts in the EU (Gallie, 2013).

Individual’s rights

The GDPR has specified the following rights as the rights of all individuals regarding data collection. Every individual has the right:

• To be informed
• Of access
• To rectification
• To erasure (that is withdrawn of consent)
• To restrict the business from processing data
• To data portability
• To object

General FAQ’s

1. What is personal data?
   This is information relating to a particular individual and can be relative only to one such individual. It includes the said person’s name, email address, social media posts, the location of residence, and medical information among other details that are unique to the individual. This could also be business information on an individual.
2. What will be the cost of complying with the GDPR regulations?
   For the individuals and corporations that are already compliance to the Data Protection Act of 1998, the change to the GDPR will be smoother and less costly as opposed to those that will be implementing this change for the first time.
3. Where can anyone interested in getting more information about the GDPR get it?
   Anyone with the need to find out more about the GDPR including its creation process, adoption guidelines, and general information can visit its online portal at the Guide to GDPR page.

References

Tankard, C. (2016). What the GDPR means for businesses. Network Security, 2016(6), 5-8. http://dx.doi.org/10.1016/s1353-4858(16)30056-3

 Albrecht, J. (2016). How the GDPR Will Change the World. European Data Protection Law Review, 2(3), 287-289. http://dx.doi.org/10.21552/edpl/2016/3/4

Gallie, A. (2013). Following fair, transparent and lawful data protection principles. Nursing And Residential Care, 15(10), 694-696. http://dx.doi.org/10.12968/nrec.2013.15.10.694