Some believe that “data is the new oil” but others insist that data isn’t a finite commodity like oil – but it is more like water, which should be allowed to flow freely.

Be it oil or water, it is amply clear that the kind of data, access to such data and the control over it, is shaping the current era in human civilization, which is often referred to as “the information age”. The use of technology is permeating into everything we do, how we lead our personal lives, how we socialize and how we run our businesses. We are surrounded by rapid technological developments and are witnessing an explosive upsurge in the number of ways in which data is being used.

Needless to say, the focal point of data is an individual, and a huge chunk of data consists of his personal data, including information relating to the goods and services he consumes, his travel diaries, his social-digital interactions and even his tastes and preferences. All this data is primarily generated from the digital media used by an individual, most importantly from the “smart devices” connected to the borderless internet.

Data is fundamentally transforming the way individuals do business, how they communicate, and how they make their decisions. On the other hand, businesses are now building vast databases of consumer preferences and behaviours. All the data gathered from various sources can be compressed, sorted, manipulated, discovered and interpreted with the help of technology as never before, and can thus be more easily transformed into useful knowledge, thus presenting avenues for businesses to grow exponentially.

Keeping the digital boom in the background and advent of ‘global citizens’, data protection becomes critical for several organizations, now, more than ever before, to meet the new privacy challenges posed by such development!

To this end, came the EU General Data Protection Regulation (GDPR) which is said to be the most important change in data privacy regulations in 20 years, not only in the European Union (EU) but across the globe. GDPR lays down in detail the data protection policy requirements and has reshaped the way in which data is handled across every sector, from retail to healthcare to banking and beyond. It has created ripples around the world and set higher benchmarks for other jurisdictions to follow suit.

GDPR was approved by the EU Parliament on 14th April 2016 after four years of preparation and deliberations, and was enforced on 25th May 2018 – after giving organisations about two years to prepare for meeting the requirements set forth under the GDPR.

Upon enactment, GDPR became automatically applicable to all EU Member States, unlike a directive, which demands each Member State to draft its native laws to enforce its rules. Subsequently, GDPR was incorporated into the European Economic Area (EEA) Agreement in July 2018 and became applicable to the EEA which includes all EU Member States (including, for the time being, the UK) and the three out of four EFTA States viz. Iceland, Liechtenstein and Norway (EU).

“It is believed that less than a third (28 percent) consider themselves fully compliant with the General Data Protection Regulation, 92% of those who were compliant reported having a competitive advantage as a result.”

Even after more than 1.5 years post enactment, many organizations are clueless about GDPR’s applicability. When GDPR came to life, many organizations appointed data protection officers to manage any their organisational needs in relation to compliances under the GDPR and hired external consultants to help them meet the new policy requirements. Even when organizations have updated their policies on paper, it is not too clear if and which measures they have adopted to ensure compliance with the GDPR. If an organization isn’t compliant with the GDPR, then it might end up paying hefty fines and penalties. More than financial sanctions, organisations which fail to adhere to the requirements under the GDPR, face the risk of having their credibility questioned.

What is the objective of GDPR?

The GDPR is a data protection legislation which lays down the rules for collection and utilization of personal data of individuals, with the aim of protecting them from data security breaches. The objective of GDPR is two-fold, firstly to simplify the regulatory environment for international and EU based businesses, by unifying the regulation within the EU and secondly, to strengthen the rights of people in the EU (whether EU citizens or not) by allowing them to have control over their data, which is held and processed by organisations.

Whom does GDPR apply to?

Broadly speaking, any organization that does business in the EU (even if the organisation does not have a physical office location in the EU) or handles the personal data of the individuals within the EU, is required to comply with the GDPR.  The realm of the GDPR is wide, it applies even to organizations that do not sell any goods or services in the EU, but monitor the behaviour of the of the individuals within the EU. Thus, GDPR affects organizations targeting the European market, providing goods and services to (even on no cost basis) and /or holding personally identifiable information in respect of the of the individuals within the EU.

While prima facie it appears that the GDPR had been enacted only to protect the EU citizens or EU residents, but that may not be a correct statement to make. The provisions of the GDPR seem to have an extra-territorial impact as they do not refer to citizenship or residential status of an individual. On the contrary, it has been clarified that the intention of the GDPR provisions is to afford protection to natural persons, whatever be their nationality or place of residence, in relation to the processing of their personal data.

The GDPR holds both controllers (who determine the purpose and means of the processing of personal data) and processors (who process personal data on behalf of the controller, regardless of the actual place of the data processing) accountable for ensuring compliance with the provisions of the GDPR. Having said that, the GDPR treats the controller as the principal party responsible for ensuring implementation of appropriate technical and organizational processes to follow the GDPR. While the liability of the processor may be secondary, the processors too have direct obligations under the GDPR, unlike under the former law.

What does GDPR seek to protect?

The GDPR seeks to protect personal data. Quite often, there is confusion about what does personal data encompass. Any information which is related to an identified or an identifiable natural person, is referred to as personal data. Such information includes an individual’s name, an identification number, location data, an online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of an individual. In practice, it also includes any data which is or can be assigned to an individual in any kind of way, such as telephone number, credit card number or employee id number, account data, number plate, appearance. Since it’s an inclusive definition, the term “personal data” should be as broadly interpreted as possible.

Principles of the GDPR

The GDPR sets out the following principles, which lie at the heart of the data protection regime.

  1. Lawfulness, fairness and transparency – The individual must be informed why his personal data would be collected, who would have access to his personal data, the time duration for which their personal data would be stored and such other details;
  2. Purpose limitation – Personal data should be collected for specified, explicit and legitimate purpose only and should not be further processed in a manner that is incompatible with the said initial purposes;
  3. Data minimization – Personal data should be adequate, relevant and limited in relation to the purpose. In other words, only such data, which is absolutely essential to the purpose, should be collected. Entities should be able to justify the amount of data collected, so they must ensure to design an adequate policy and document it;
  4. Accuracy – The personal data should be accurate and up to date. Organisations must ensure that any old or outdated data is erased, and any inaccurate personal data must be rectified without any delay;
  5. Storage limitation – The personal data must be kept only till such time as it is necessary for the purpose; and
  6. Integrity and Confidentiality – Efficient security measures must be adopted to ensure protection against unauthorized use or unlawful processing. Anonymisation or pseudonymisation systems may be put in place to protect the identity of the data subjects.

Exploring key requirements under the GDPR

The GDPR requires a legal basis for data processing. Explicit consent of the data subjects is one of such legal bases and can help organizations avoid huge penalties. However, consent requirement is often misunderstood to be an absolute must for processing personal data under the GDPR. This, in fact is not true as the GDPR outlines other legal grounds for lawful processing as well, such as presence of legitimate interest to process personal data, necessity of processing personal data in order to satisfy a contract to which the data subject is a party, compliance with a legal obligation, etc. Having said that, consent is undoubtedly the most commonly used legal ground as it is the easiest to obtain. An explicit consent would allow the controllers to do much more with the data as compared to the other legal grounds, such as a legitimate interest or a necessity to process data, etc., which are limited in scope and would require a higher degree of proof.

Further, the GDPR mandates organizations to adopt and publish their privacy policies, which should clearly lay down the ways in which the personal data may be collected, transferred, processed, stored and protected, giving the data subjects a choice to not allow such processing of the personal data.

Should an organization process personal data on a large scale, or process special categories of personal data such as race, ethnicity, or religious beliefs, the entity would require a Data Protection Officer (DPO) to oversee the procedures adopted by the entity.

Rights of data subjects

Under the GDPR, the data subjects have been vested with considerable rights. These rights are, right to be informed, right of access, right to rectification, right to erasure/to be forgotten, right to restrict processing, right to data portability, right to object and rights in relation to automated decision making and profiling.

Why is it important to comply with GDPR?

All controllers and processors which fail to comply with the provisions of the GDPR may be subjected civil claims by the data subjects and to penalties, which are quite severe.

There are two level of penalties under the GDPR. Infringement of certain provisions of GDPR carry fines of up to €10 million or up to 2% of total global revenue of the preceding year, whichever being greater. The infringement of certain critical provisions of the GDPR may lead to penalties up to €20 million or up to 4% of total global revenue of the preceding year, whichever being greater.

Further, it may not just be about heavy monetary penalties. Supervisory authorities, which are entrusted with investigative, advisory and corrective powers and duties in relation of ensuring protection of personal data,  are also empowered to take a range of other actions, such as demand information from data controllers and data processors, issue warnings and sanctions, impose temporary or permanent sanctions in relation to data processing, demand rectification, restriction or erasure of data, suspend data transfers to third countries, etc.

Further, the risk of not meeting GDPR requirements may be cost prohibitive in other ways too. Research shows that cyber-attacks can cost businesses anywhere from $14.00 to $2.35 million per incident and we are well aware that data breaches and attacks are growing all the time. Hence, the cost of an attack on an organisation can be remarkable. Lastly, there is an added cost of brand and reputational damage. Therefore, it clearly helps if you are GDPR compliant!

Way forward

As the regulation has hardly been put to the test so far, the scope and the extent of applicability of the various provisions of the GDPR, especially whose data is protected (or not), is still not clear. We can expect more clarity only once formal clarifications are issued and when its provisions get enforced and judicial precedence is developed. In the meanwhile, organizations must shift their focus as to how data protection laws such as the GDPR can help them in reaping unanticipated benefits like increased consumer trust, better customer engagement, and most importantly revenue growth, rather than how they might be punished if they get it ‘wrong’. With the use of technology, engagement of experts and being mindful of rights of consumers / users, this is quite achievable. Notably, industries have seen a correlation between the use of technology and greater compliance with the GDPR.

The GDPR poses both a new challenge and a potential opportunity for technology companies, finance companies, fintech companies, cloud service providers, data centre providers and marketers who will have to adopt stricter security measures, standards and processes to protect, process and manage personal data to ensure their compliance with the GDPR.

This material and the information contained herein prepared by Algo Legal is intended to provide general information on a subject or subjects and is not an exhaustive treatment of such subject(s). Algo Legal is not, by means of this material, rendering professional advice or services. The information is not intended to be relied upon as the sole basis for any decision. Algo Legal shall not be responsible for any loss whatsoever sustained by any person who relies on this material.