From May 25, 2018, a new journey under the European Union’s General Data Protection Regulation (GDPR) has begun. Day one of the new regulation saw various US-based websites and applications blocked for data subjects in the EU. Multi-billion-dollar lawsuits have already been filed against major entities for alleged violation of the new rules for following a “take it or leave it” approach in their privacy policies. Businesses have engaged in a mad scramble to send updated privacy policies to users and seek their consent to collect and process personal data.
What is the buzz all about?
GDPR is the new data privacy legislation of the European Union (EU) which harmonises and strengthens the data privacy and data protection laws across EU member states into one regulation. It provides data subjects with extensive rights in relation to the processing of their personal data and imposes heavy penalties for non-compliance. The penalties can go up to the higher of either EUR 20 million or 4 percent of annual global turnover in the previous year.
GDPR has extra-territorial applicability and affects all businesses having an EU interface. All businesses providing “goods and services” to data subjects in the EU or monitoring the behaviour and activities of individuals in the EU are hit by the new regulation. Businesses with large customer interfaces like aviation, hospitality, outsourcing, healthcare, and those which are involved in the information technology sector are likely to be most impacted.
Business not as usual any more
GDPR provides substantial rights to EU data subjects, including those using online websites and applications, whose data, like the rest of the world, has been subject to unauthorized sharing for commercial purposes till date. Personal data has hitherto been unscrupulously harvested by tracking the online behavioural pattern of data subjects. The new rule seeks to put the brakes on online tracking and protect the integrity of the personal data of EU data subjects.
What should the businesses do?
Businesses need to first do an analysis on their EU touchpoints in order to determine the applicability of GDPR to them. The new regulation focuses on demonstrating compliance and involves adopting regular technical and organisational measures to ensure that the rights of the data subject are adequately protected. Creating awareness, updating systems and technology to be in compliance with the new rules, adopting a policy of ‘privacy by design and privacy by default’, and most importantly, ensuring that the personal data of the data subjects is secure through pseudonymization and encryption will help business entities in the long road ahead.
A major hurdle that entities might face in the implementation of GDPR compliances is in relation to the cross-border transfer of data of EU data subjects. GDPR provides for data to be transferred outside the EU in certain cases, including, if the third country meets an adequate level of protection as envisaged under GDPR, adopting binding corporate rules or standard data protection clauses, etc.
India and the road ahead
India will soon roll out its own data privacy and protection legislation, which may significantly adopt the principles of GDPR. Compliance with GDPR will, therefore, help Indian businesses be future-ready for the upcoming domestic law. This will also boost public confidence and provide a competitive business advantage.
The journey called GDPR
GDPR is a journey which will evolve over time. Businesses will have to incorporate data privacy within their institutional compliances and implement strategies over the course of time. An important aspect to be seen, now that GDPR has come into effect, is the actual enforcement and penalties actually meted out for violations under the GDPR. GDPR will be under close scrutiny across the world by governments, regulators, data protection experts, and the public in general. If the provisions under GDPR are not rigorously implemented, it may quickly lose its steam. GDPR is a laudable step towards ensuring greater rights to individuals and it should not become any other legislation with extensive rights on paper and little implementation.
Hence, it is an interesting time for business entities and individuals alike to closely follow the evolution of GDPR in coming days.