Do you work closely with the personal data of European Union, EU, residents? Are you a company or an organization that controls the data of EU residents? If you answered yes then do you know that a new EU regulation called General Data Protection Regulation, GDPR is set to hold you accountable for EU citizen’s data?
General Data Protection Regulation is a European Data protection act that took effect across the Europe on May 25, 2018. It replaces the outdated 1995 data protection regulation, that came into force way before big giants such as Facebook and Twitter existed in the digital world. The new law is regarded as a guiding law for all the countries willing to enact data protection laws. Experts believe that GDPR has shifted the balance of power from corporations to the consumers and empowered them to take control of their data. According to GDPR, personal data means “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Here are the ten key highlights from the GDPR.
- Utmost emphasis has been put on the explicit consent of the user to process his/her data in GDPR. The consent has to be sought in plain and simple language.
- Personal data has to be processed in a transparent manner for specific purpose for which it was collected and not beyond the mandated permission.
- The law also empowers the individual to withdraw from data processing any time.
- In case of data breach, the organization controlling the consumer data should inform the relevant data protection authority within 72 hours, unless the breach is not of very serious nature as to threaten the rights of the affected consumers. If it fails to do so, it should inform why it was unable to inform the body regulators about it.
- In certain situations, where data breach was likely to have high risk consequences on rights and freedoms, the organization should communicate about data breach to the affected consumers.
- Under the law, an individual can seek the copy of his personal data from an organization withholding it. He/she can also seek the deletion and removal of data, block or suppress its processing especially when processing is questionable.
- Failure to comply with regulations of GDPR could result in imposition of a fine of up to 4% of the organization’s annual global turnover.
- Under the law, any person having any complaint against any organization processing or controlling his personal data could approach the data protection authority to file a complaint.
- GDPR also urges the organizations to hire a dedicated data protection officer that will not act as a contact point on behalf of organization for regulatory authorities, but also advise the organization on compliance with GDPR.
- GDPR is applicable on all the corporations/organization that process or house the data of Europeans irrespective of whether the company is based in Europe or not. This means that if any European takes Careem ride in Pakistan, Careem is liable to process the data of EU resident and take necessary precautionary measures as per GDPR rules.
GDPR sends organizations into panic mode:
Since GDPR came into force, it seems as if organizations have gone into panic mode. A number of US websites were unavailable in most of the EU countries as soon as the law came into force. Meanwhile, different polls conducted by US based organizations including Baker Tilly and Hytrust pointed out that a significant number of corporations were not prepared to comply with GDPR regulations.
The day the law came into effect, multiple law suits were filed across Europe against corporations including Facebook and Google for being non-complaint with GDPR. According to BBC, “Facebook, Google, Instagram and WhatsApp are accused of forcing users to consent to targeted advertising to use the services.”
According to CNN, the complaint against Facebook was filed Austrian data regulators, Google with French authorities, Whatsapp with German regulators and a complaint against Instagram was filed with Belgian authorities.
If the authorities agreed that the companies violated GDPR rules, they could face fines upto billions of dollars.
Talal Raza is a Program Manager at Media Matters for Democracy. He has worked with renowned media organizations and NGOs including Geo News, The Nation, United States Institute of Peace and Privacy International.