“After four years of preparation and debate, the GDPR was finally approved by the EU Parliament on 14 April 2016. Enforcement date: 25 May 2018 - at which time those organizations in non-compliance may face heavy fines.”

EU General Data Protection Regulation (GDPR) has been referred as the harbinger of the data privacy laws amid all the allegations, global outcry, and drama on data privacy across the world (yes, we are referring to the Facebook-Cambridge Data Scandal, here).  

The law ensures that the citizens remain protected from possible data breaches while empowering them in today’s increasingly data-driven world that is vastly different from the time in which the previous 1995 directive was established.

An Overview

The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive (95/46/EC) and is devised to “harmonize” data privacy laws across Europe. It aims to protect and empower all EU citizens’ data privacy and reshape the way organizations across the region approach data privacy. 

In spite of the fact that the data security and its privacy hold true to the 1995 directive, the regulatory policy was not compatible with the digitized way of living and hence the need. The EU GDPR is focused on the way the information is taken by the businesses and utilized thereafter. 

Keeping the “consent of the user” to the fore, the law is framed to give greater protection and rights to the individuals. 

Started with European Commission’s proposal to strengthen online privacy rights and digital economy on 25 January 2012, the path was paved for the new regulation. It was subsequently adopted by both European Parliament and European Council in April 2016 after taking the opinion and review of various committees. 

The regulation will come into force on 25th May 2018. The two year period has given time to businesses and public bodies to prepare for the coming change. 

What is the Data? 

Let’s say you are an e-commerce website. For every successful deal, your customer shares her information with you. You have access to the information like - their name, address, phone number, bank and card details, email address, even their IP address. You need these to improve your sales and user experience, of course, and provide a better and personalized experience. But all these come under the ambit of personal information. 

Because hey, when combined they can be used to identify a living person directly or indirectly! 

According to the European Commission, "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life…. a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address." 

Long story short, the data is any information that lets an agency make of an individual. 

Who Will It Affect?

The regulation will not only affect the people residing in EU but also people and organizations involved in the process of data collection or processing of data subjects residing in EU. 

This soars the territorial scope as compared to previous directives which were more equivocal and were related to the “context of the establishment”. 

Increased Territorial Scope 

Apparently, the most-important important change that it brings is the extended jurisdiction and is not limited to the law of the land. 

EUGDPR.org defines the increased territorial scope as applicable -  

1. To all the companies processing the personal data of data subjects residing in the Union, regardless of the company’s location. 
2. To the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. 
3. To the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to - offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behavior that takes place within the EU. 
4. To non-EU businesses processing the data of EU citizens will also have to appoint a representative in the EU.

So will GDPR let me read my boss’ emails about me?

Sadly, no. While the law states that the individuals should have the right to access their personal data, an opinion or thought doesn’t come under the ambit of “personal information subjected by the law”. 

So, in that case, just go and ask your boss what s/he thinks of you.  

Guiding Principles of GDPR

The Article 5 of GDPR lists down six clauses which apparently define the guiding principles.

Lawfulness, fairness, and transparency	“Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject”
Purpose Limitation	“Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”
Data Minimisation	“Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”
Accuracy	“Personal data shall be accurate and, where necessary, kept up to date”
Storage Limitation	“Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”
Integrity and Confidentiality	“Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures”
Accountability	“The controller shall be responsible for, and be able to demonstrate compliance with the GDPR”

Further Article 8 also outlines the guidelines on the use of minor consent where the controller shall make reasonable efforts to verify that the consent is given or authorized by the holder of parental responsibility for the child, taking into consideration available technology. 

While Article 9 also prohibits “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited”.

Rules for business and organization

The law applies to:

1. "A company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
    
2. A company  established outside the EU offering goods/services (paid or for free) or monitoring the behavior of individuals in the EU.”

A public administration is required to appoint a Data Protection Officer (DPO). Whose responsibility is to secure personal data. 

In case personal data held is accidentally or unlawfully disclosed to unauthorized recipients the breach must be notified to the Data Protection Authority (DPA) without undue delay and at the latest within 72 hours after having become aware of the breach. The public administration may also need to inform individuals about the breach.

A very crucial aspect that it covers is if and how will the businesses be affected. And most importantly “can data received from a third party be used for marketing?” 

The key point here is if - before acquiring and processing the data of an individual was the said person informed of the intent of selling it to any third party? 

If yes, then GDPR won’t affect your marketing. In case the person didn’t agree to data sharing and as an organization, you still shared, then get ready for some heavy penalties.

For the lower level, the fine can be pushed up to €10 million, or 2% of the worldwide annual revenue of the prior fiscal year, whichever is higher.

For the upper level, the fine can be up to €20 million, or 4% of the worldwide annual revenue of the prior fiscal year, whichever is higher, shall be issued.”

Data Subject Rights

To assure the subjects that the final authority of the data lies with them, one of the key objectives is to ensure the data subject (user) is involved in every step from collection to the final use. 

This brings out one of the key features of the GDPR, that is the “consent” of the data subject. 

Clear and precise conditions have been laid out for “consent” and companies will no longer be able to use long indecipherable terms and conditions loaded with abstruse technical vocabulary. 

Instead, they should be provided in an accessible form, using clear and plain language. Further, it should be easy for a user to give consent and easier to withdraw. 

In brief, the twelve articles and five sections can be divided into 7 points. 

• Right to Access

The right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. 

• Right to be Forgotten

Also known as data erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.

• Right for Data Portability

The right for a data subject to receive the personal data concerning them, which they have previously provided in a 'commonly use and machine-readable format' and have the right to transmit that data to another controller. 

• Privacy by Design

At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically - 'The controller shall..implement appropriate technical and organizational measures..in an effective way.. in order to meet the requirements of this Regulation and protect the rights of data subjects'. 

• Data Protection Authority/Officer

Currently, controllers are required to notify their data processing activities with local DPAs. Under GDPR it will not be necessary to submit notifications/registrations to each local DPA of data processing activities, nor will it be a requirement to notify/obtain approval for transfers based on the Model Contract Clauses (MCCs). 

• Breach Notification

Breach notification is mandatory in all member states and must be done within 72 hours of first having become aware of the breach. Customers, controllers need to be informed “without undue delay” after first becoming aware of a data breach. 

• Right to rectification

This right provides the data subject with the ability to ask for modifications to his or her personal data in case the data subject believes that this personal data is not up to date or accurate.

Policies Which Will Be Affected

Data Protection Directive

When reading about the GDPR the first thing that most articles start with is “...GDPR replaces the 1995 EU Data Protection Directive (95/46/EC)”. Data Protection Directive was also a European Union directive related to the protection of individuals with regard to the processing of personal data and about the free movement of such data. It was adopted in 1995 and regulated the processing of personal data within the European Union.

The seven principles of Notice, Purpose, Consent, Security, Disclosure, Access, Accountability were all incorporated in the previous directive.

EU Cookie law

Until now, under EU cookie law the users would get a pop-up message informing them of the use of cookies. Collecting cookies, under the new regulation would come under collecting the data. 

Cookies till now were more or less vague without proper consent and information on where the cookies were being used.

‘By using this site, you accept cookies’ messages won’t be sufficient. If the pop-up message is not clear, the user consent is not requested, then it doesn’t imply with the idea of clear “consent” of the user.  Moreover, the status quo doesn’t allow users to “forget” them, either. 

The new regulation gives the data subjects the power to access who they share their data with.

Some FAQs Answered

Does the UK still comply with the new regulation after Brexit? The UK is due to leave the EU on 30 March 2019. However, the regulation was adopted (April 2016) before the referendum was passed in the UK (23 June 2016).  So yes, the UK will have to comply with the new regulation.  What is the difference between a data processor and a data controller? A controller is an entity that determines the purposes, conditions, and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller. Will the GDPR set up a one-stop-shop for data privacy regulation? It is still unclear as the standing positions are highly varied.

Conclusion

The regulation is formulated to empower the users, giving them the real power to control their information and who uses it. What's more? Users can reject or opt out of things they don’t like at any point in time. But the effect it will actually have on Europe’s 51 crore population (excluding the other stakeholders) is only a plausible idea, right now. 

What should you do if your website is built on Drupal?

Read our next blog Drupal and GDPR: Everything You Need to Know to understand how Drupal complies with the new regulation and if Drupal is ready for the GDPR compliance.