European Union’s General Data Protection Regulation (GDPR) goes in to effect today, and that’s the reason why most email inboxes across the world are flooded with emails about updates to privacy policies for companies. GDPR will lay down a new set of rules regarding processing of personal data and with regards to free movement of this data. Essentially, ‘data protection’ is seen as a fundamental right under the new GDPR rules, and according to the Act, this is in “balance with other fundamental rights.” The new set of rules also aim to ensure a “high level of data protection.”
GDPR will give EU citizens more control over their data, but it has implications beyond the European Union. GDPR is also the reason why nearly all players from Google to Facebook are updating their privacy policies and alerting you about the same. Here’s a look at all the key developments with regard to GDPR, which comes into effect from today, which is May 25.
GDPR: Facebook introduces privacy reviews for Indian users
Facebook has updated its data policy as European Union's General Data Protection Regulation (GDPR) rules go in to effect from May 25. As part of changes, the social media platform will send an alert on users' News Feed encouraging them to review details about advertising, facial recognition software, and information they have shared over their profiles and Timelines. Facebook's privacy review will be made available in 11 local languages in India.
GDPR: What experts have to say
"Companies need to realize a breach is inevitable and key stakeholders, their customers, expect them to take reasonable measures to prevent breaches in the first place, and when that fails, to respond quickly and appropriately. GDPR mandates this practice for companies that operate in EU or company doing business with EU citizens. Questions remain, however, around implementation, interpretation and administration of the data protection practices – and these will need to be ironed out as the GDPR becomes enforceable. In order to be compliant, a business must begin introducing the correct security protocols in their journey to reaching GDPR compliance, including encryption, two-factor authentication and key management strategies to avoid severe legal, financial and reputational consequences," Rana Gupta, Vice President – APAC Sales, Identity and Data Protection, Gemalto said in a press statement.
GDPR and penalties: Will companies be fined for violation of rules?
Yes, this is one of the most important part of the GDPR framework. According to the rules, countries can fine companies over non-compliance or violations of GDPR. 'The fines must be effective, reasonable and dissuasive for each individual case,' according to the rules. However, EU's GDPR also notes that the lack of cooperation with authorities will result in higher penalties. For really severe violations, countries can fine a company up to 20 million Euros or up to 4 per cent of a company's global turnover from the last fiscal year, whichever is higher. Thus in theory, companies like Google or Facebook could face a fine of billions of euros, if an EU country finds them guilty of seriously violating GDPR framework.
This is it.— European Commission 🇪🇺 (@EU_Commission) May 24, 2018
Today, our EU #DataProtection rules enter into application, putting the Europeans back in control of their data.
Europe asserts its digital sovereignty and gets ready for the digital age.
Read our statement → https://t.co/P19IRPWfqv #GDPR pic.twitter.com/hwCKSj2TjE
GDPR and the right to be forgotten
EU's GDPR also comes with the right to be forgotten. In this, a user can demand that the company delete all the personal data they have collected regarding them,'without undue delay,' according o the Act. It also says that when the personal datas is no longer necessary for the purpose for which it was collected or if the user withdraws consent, or where personal data has been 'unlawfully processed,' they will have to remove the user data.
As today is GDPR day we wanted to remind you of your rights... pic.twitter.com/D4Z9OXVRHY— Erasure (Official) (@erasureinfo) May 25, 2018
GDPR and the right to Data Portability
One of the key features of GDPR is the 'Right to data portability.' What this says is that the 'data subject' or the user will have right to receive all their personal data concerning them which they have provided to a company. The data should be received in a 'structured, commonly used and machine-readable format.' The user will also have the right to have their 'personal data transmitted directly from one controller to another, where technically feasible,' according to the GDPR rules.
GDPR and what it does for 'user consent'
One of the more interesting aspects of GDPR's is how it deals with the idea of a user consent. For one, the companies need to take explicit consent from the user for processing their data, and they need to provide sufficient information to the the user with regard to this collection. The user will need to understand what they are consenting to, under GDPR's new rules and laws.
Happy GDPR eve pic.twitter.com/5nnRiczHGV— TwistedDoodles (@twisteddoodles) May 24, 2018
GDPR and WhatsApp's Request Account Info feature
WhatsApp has rolled out a Request Account Info feature in compliance with GDPR. This will let users download all the data that WhatsApp has collected in the past about them. Users can got Settings, Account, followed by Request Account Info and ask for report of their WhatsApp account information. The report is generated in three days and users will be able to download it and export it to another app. However, the report does not include your WhatsApp messages.
Will GDPR be limited to just European Union?
Here's where things get interesting and the implications of GDPR become clearer. GDPR applies to all companies which are collecting data of EU citizens, and not just those based in the EU. It also means that for internet companies they will have to upgrade their policies worldwide, as is clear in the case of Google, Instagram, and even WhatsApp. For instance, WhatsApp is now providing users a tool to check what all data of theirs is collected by the app.
"We’ve improved the navigation and organization of the policy to make it easier to find what you’re looking for. We’ve also explained our practices in more detail and with clearer language," says Google. It will also offer a visual description is easier to understand some details about the policy along with videos to make some points clearer.
GDPR: What it says about data breaches
When it comes to data breaches, GDPR says that companies will need to inform regulators within 72 hours. If one takes the recent Cambridge Analytica and Facebook scandal, the social media giant is still scrambling to figure out how big the impact of this data leak was and Facebook has itself said that a full investigation into other apps could take years. But with GDPR, this deadline of informing users and regulators is now 72 hours. Failure to do this could come with steep fines.
EU GDPR: What needs to be told to the data subject
According to Article 13, GDPR says that the subject or the user needs to be made aware of the "identity and the contact details of the controller and, where applicable, of the controller’s representative," when their personal data is being collected. Companies are also asked to tell users about the contact details of the data protection officer, where it is applicable. More importantly, companies will have to tell the users, "the purposes of the processing for which the personal data are intended as well as the legal basis for the processing." If the data will transfered to a third country, then too companies need to alert the user.
EU GDPR: Data protection by design
One of the key principles of GDPR is that it calls for 'data protection by design.' According to Article 25, the controller needs to "implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation." It also notes that the controller needs to ensure that only personal data is collected which is needed. They will also need to make sure that an individual's personal data is not made accessible to other persons without the user's intervention or explicit permission.
GDPR: What does it say regarding data storage and processing?
Article 5 of the General Data Protection Regulation lays out the principles of how data is to be processed and says this should be done 'lawfully, fairly and in a transparent manner in relation to the data subject.' The data can only be used for the specific purpose for which it is collected, and the section notes, 'not further processed in a manner that is incompatible with those purpose.' It also adds that the companies, entites collecting data need to take steps to ensure this data is 'accurate and, where necessary, kept up to date.' On the subject of storing personal data, it says this can be stored for longer purposes only for 'archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.' The Section also notes that entites need to ensure 'appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.' So yes, internet corporations, especially a Facebook or Google, which are collecting large amount of personal data need to ensure that it is not misused or stolen or damaged.