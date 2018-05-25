European Union’s General Data Protection Regulation (GDPR) goes in to effect today, and that’s the reason why most email inboxes across the world are flooded with emails about updates to privacy policies for companies. GDPR will lay down a new set of rules regarding processing of personal data and with regards to free movement of this data. Essentially, ‘data protection’ is seen as a fundamental right under the new GDPR rules, and according to the Act, this is in “balance with other fundamental rights.” The new set of rules also aim to ensure a “high level of data protection.”
GDPR will give EU citizens more control over their data, but it has implications beyond the European Union. GDPR is also the reason why nearly all players from Google to Facebook are updating their privacy policies and alerting you about the same. Here’s a look at all the key developments with regard to GDPR, which comes into effect from today, which is May 25.
Highlights
When it comes to data breaches, GDPR says that companies will need to inform regulators within 72 hours. If one takes the recent Cambridge Analytica and Facebook scandal, the social media giant is still scrambling to figure out how big the impact of this data leak was and Facebook has itself said that a full investigation into other apps could take years. But with GDPR, this deadline of informing users and regulators is now 72 hours. Failure to do this could come with steep fines.
According to Article 13, GDPR says that the subject or the user needs to be made aware of the "identity and the contact details of the controller and, where applicable, of the controller’s representative," when their personal data is being collected. Companies are also asked to tell users about the contact details of the data protection officer, where it is applicable. More importantly, companies will have to tell the users, "the purposes of the processing for which the personal data are intended as well as the legal basis for the processing." If the data will transfered to a third country, then too companies need to alert the user.
One of the key principles of GDPR is that it calls for 'data protection by design.' According to Article 25, the controller needs to "implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation." It also notes that the controller needs to ensure that only personal data is collected which is needed. They will also need to make sure that an individual's personal data is not made accessible to other persons without the user's intervention or explicit permission.
Article 5 of the General Data Protection Regulation lays out the principles of how data is to be processed and says this should be done 'lawfully, fairly and in a transparent manner in relation to the data subject.' The data can only be used for the specific purpose for which it is collected, and the section notes, 'not further processed in a manner that is incompatible with those purpose.' It also adds that the companies, entites collecting data need to take steps to ensure this data is 'accurate and, where necessary, kept up to date.' On the subject of storing personal data, it says this can be stored for longer purposes only for 'archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.' The Section also notes that entites need to ensure 'appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.' So yes, internet corporations, especially a Facebook or Google, which are collecting large amount of personal data need to ensure that it is not misused or stolen or damaged.