GDPR Declaration !!

I am not collecting any personal information of any reader of or visitor to this blog. I am using Blogger, provided by Google to host this blog. I understand that Google is using cookies to collect personal information for its Analytics and Adsense applications.

May 22, 2018

EU GDPR (General Data Protection Regulation)

European union has introduced GDPR (General Data Protection Regulation) to streamline the data protection regulation across the member countries. The GDPR replaces the EU’s Data Protection Directive, which went into effect in 1995.  While the rules are enforceable at the Union level, individual member countries are free to tweak the rules based on country specific circumstances. This regulation is aimed at preventing scandals like the misuse of personal data as it happened in US Elections.

This regulation spans 174 Paragraphs, 12 Chapters and 99 Articles. This was approved on 27 April, 2016 and will come to effect from 25 May, 2018

Highlights of GDPR: Image Courtesy European Council

There are two objectives of this regulation.
One, to protect the fundamental rights and freedoms of natural persons in the EU and in particular their right to the protection of personal data. Two, to ensure the free movement of personal data within the Union,

There are two reasons for bringing out these regulations. First is the ease of movement of citizens within the union. A uniform data protection rules across the union will ensure free movement of people and facilitate ease of business. Second reason is the advent of technology that collects a huge amount of personal data and without a uniform regulation, the data has a potential of being misused.

Message from Yahoo for GDPR Compliance
The regulations cover the natural persons in EU countries and not legal persons like businesses. It also covers the processing of personal data through automated as well as personal means. Personal data collected by public authorities in the course of their duties are excluded from the purview of this regulation

To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping.

The principle of this regulation is to bring the ownership of their personal data back to the individuals. The rights of individuals are at the front and centre of this legislation. They get to decide what personal data is collected, how it is used and how and when it is removed from the collector's database. The regulations are applicable even when the data is transferred from EU countries to countries outside of the union.
GDPR-A Synopsis
The regulation sets out in detail the rights of the data subjects and the obligations of the entities that process and use the information collected. It introduces two new entities, Controllers and Processors. Controllers set the policies related to the collection and processing of the personal data and the processors do the necessary processing activities using the data. For example, if the company is outsourcing the payroll processing to a third party, the individual employee will be the data subject, the company will be the controller and the payroll processing entity will be the processor. In addition controllers can create a new position of Data Protection Officer, who has extensive knowledge on the regulation and whose role is to guide the processors in compliance of the regulation.

The key idea is that of purpose. Personal data should be collected only for a specific purpose informed to and accepted by the data subject (the natural person whose data is being collected). Once the purpose of data is completed, the data should be erased from the main database and all the downstream databases that used that data. In addition, data subjects should have the explicitly laid out option to request for modification and erasure of their personal data from the database of the controller and all the downstream databases. Once such request is received, the controllers should ensure a time-bound adherence to the request and confirm to the data subject In addition the data subject should have the right to transfer the data from one controller to another (for example, while changing hospitals)

The regulation covers 'any' information relating to an identified or identifiable natural person. It excludes anonymous information, for example that collected in the course of market research.

To protect PII (Personal Identifiable Information) controllers and processors are expected to use technology and tool like 'pseudonymization', encryption and masking of data. In addition, they are expected to use data protection technology to secure the data. However, use of such tools and technologies do not exclude controllers and processors from the obligations under this law.

In short, Controllers should ensure data protection by design and data protection by default.

What constitutes a PII? GDPR takes a wide view of what constitutes personal identification information. Companies will need the same level of protection for things like an individual’s IP address or cookie data as they do for name, address and Social Security number. Personal data is any information that can identify an individual person. This includes a name, an ID number, location data (for example, location data collected by a mobile phone) or a postal address, online browsing history, images or anything relating to the physical, physiological, genetic, mental, economic, cultural or social identity of a person.

GDPR protects the following PII.
  • Basic identity information such as name, address and ID numbers
  • Web data such as location, IP address, cookie data and RFID tags
  • Health and genetic data
  • Biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation
Explicit consent of data subject is required for processing her data. This can be either written or oral. The consent can also be in the form of an explicit checkbox provided in online forms. When the processing has multiple purposes, consent should be given for each of them. The consent should be drafted in simple words and the data subject should be aware of the identity of the controller and the purpose of the data processing.

Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum.

Specific consent of the data subject is required for collection and processing of sensitive data, for example, 'racial' information or information related to the health history of the natural person. The controllers and processors are subject to stringent controls regarding the use of such data.

The regulations are equally applicable for data stored in countries outside of EU. However a certification mechanism has been provided for such countries and entities in those countries that they adhere to the data protection standards as laid down by this regulation and as per the applicable international laws. This decision to certify a country or a controller within that country is subject to revocation giving sufficient justification and prior information.

A structured and hierarchical legal system is designed to handle the complaints under this regulation. There will be supervisory authorities, lead supervisory authorities and the courts in each country that a data subject  can take recourse to to get his complaints addressed. The regulation calls for imposition of fine that is effective, proportionate and dissuasive.

The regulations also enforce controls on the archiving of the data (for restricted specific purposes like public benefit, research etc) with focus being on 'minimization', encryption and pseudomization of archived data. Controller will be responsible for archiving the data as per the rules.

Finally, the penalties for violation of the regulation will be huge. An organization in breach of GDPR laws will be fined up to 4 percent of annual global turnover or 20 million euros ($24.6 million), whichever is bigger. For many IT companies whose turnover is in billions of Euros, the penalty can be very harsh.

In conclusion, the new regulations are comprehensive and impose liabilities on controllers and processors to ensure that the personal data of natural persons in EU countries is rigorously protected and is maintained on a need to use basis. It brings back the control of the personal data on the individuals while respecting the freedom of speech and expression and also ensuring that socially progressive activities that use such data are not hampered.

This regulation will have impact on ERP systems that collect personal data. How ERP will handle it is the subject of another post.

References and additional reading:

  1. Everything you needed to know about GDPR - CNBC
  2. GDPR: Requirements, deadlines and facts: CSOnline
  3. GDPR and You
  4. GDPR and Individuals
  5. How will GDPR affect you? Guardian
  6. Are you ready for GDPR? CIO Mag
  7. GDPR: From compliance to exposure
  8. 10 things to know about GDPR

1 comment:

raja singh said...

You have discussed an interesting topic that everybody should know. Very well explained with examples. I have found a similar website gdpr, gdprupdate visit the site to know more about fileom