The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation or a legal act of the European Union (EU) law on data protection privacy effective from 25th May 2018. It is addressed by all organizations and individuals within the European Union and the European Economic Area (EEA). It also addresses to the export of personal data outside of these regions. However, it should also be noted that any company, organization etc., that markets or services to any EU member or resident, irrespective of their location are subject to the regulation.
What is the GDPR?
The GDPR contains roughly 11 chapters and 91 articles. A few articles that have had the biggest impact on security operations have been discussed here.
Article 17: Right to Erasure: – This article may allow the data subject right to direct a data controller to erase their personal data under certain circumstances such as its lawfulness of processing, relevance according to current needs of the subject, etc.
Article 18: Right to Restriction of Processing: – This article may allow the data subject to obtain restriction of processing from the data controller under certain circumstances like the previous one.
Article 20: Right to Data Portability: – This article may allow the subjects to transfer data between service providers or controllers under certain circumstances such as its lawfulness of processing, or misconduct from the controller, etc.
Article 25: Data protection by design and by default: – This article requires data protection to be designed into business development. Thus a data controller is required to take appropriate measures to make sure that the processing, throughout its life cycle complies with the regulation. They should also implement a mechanism such that personal data is not processed unless case specific.
Article 33: Alert of personal data violation to the Supervisory Authority: – This article requires the data controllers to notify of the data breach to their SAs within 72 hours from the discovery of the breach, its nature, consequences and the general number of subjects impacted. In case of delay, the controller is required to submit a cause of the delay.
Article 39: Tasks of the Data Processing Officer: – This article lays down the tasks of a data processing officer (to be appointed by organizations). He /she is too:
Inform and advice the data controllers on their obligations pursuant to the Regulation
Monitor the company’s compliance with the Regulation
Co-operate with SAs etc.
Updates to GDPR and its effects on the global market
The General Data Protection Regulation in effect has replaced the earlier Data Protection Directive founded in 1995. Although the key principles of data privacy hold true to the previous directive, there have been some significant changes, which have had a massive impact on the business world.
The Regulation basically applies to all the companies that are processing data for data subjects residing within the EU irrespective of their (companies) location. Thus, this has arguably been the biggest driving force behind the expansion of the regulation’s jurisdiction. It not only applies to the controllers or processors in the Eu but outside as well, i.e. non-EU based businesses, if process data for subjects in the EU then those businesses come under the regulation’s jurisdiction.
According to this Regulation, any organizations in breach of it can be fined up to 4% of their annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious offenses. This is applicable to both controllers and processors.
GDPR and Google
The policy now includes explanatory videos and illustrations. With ‘Activity Controls’, users can access what information they want to be on the database.
Users can now take a security check-up to reassure them of their security settings. Advertisements can now be managed or muted with Ad Controls.
Google has also introduced a Family Link, which enables parents to set up a Google account for their child and as such is required for consent on the processing of their child’s data.
India and GDPR
The GDPR have had an immense effect in the Indian market of data processing, as nearly 63% of the firms are struggling to comply with the Regulation. According to a recent report, about 60% of the firms have cited the inadequacy of skilled talent as the cause. Almost 50% of the firms who do not have customers or suppliers in the EU look to expand their market into the EU by increasing their privacy spend.
According to the report, 22% of the organizations increased their privacy budgets between 5-15% over the last 12 months. Also, 25% more of these firms look to increase their budget in the same range over the next 12 months. Nearly 75% of the organizations have recognized the need to comply with their own information governance policies in order to comply with the regulation.
The India Draft bill on data protection was issued in light of the recent GDPR enforced by the EU. The Justice Srikrishna Committee that submitted its reports on data protection has drawn a lot of influence from the EU’s GDPR. It has adopted principles like the right to access, right to portability, right to erasure, etc. however, the individual’s right is somewhat limited in comparison with the EU law. Critical personal data processing, however, has been left to the government’s control. It mandates absolute localization, i.e., total control and processing of critical personal data in India.
It also mandates the mirroring of data, which includes the storage of a subject’s personal data in a server in India.