Legal

General Data Protection Regulation (GDPR) is a data protection regulation introduced by the Information Commissioner’s Office (ICO) in the European Union (EU) in April 2016 and came into effect on 25 May 2018. It replaces the Data Protection Directive (DPA) of 1995 and sets out regulations for data protection of people in EU member states that spans 88 pages and includes 99 Articles and 173 Recitals. The law applies to all bodies, regardless of their location, that deal with the user data of EU residents. For example, even if a website is not based in the EU but has visitors from the EU member states, it must take the necessary steps to become GDPR compliant.

This article aims to breakdown GDPR, its key features and requirements, and what it means for the organizations and individuals.

Before discussing the Regulation in detail, let’s acquaint with some of the commonly used terms related to the GDPR.

“Data Subject” (Individual/User) means a natural person who can be identified by their personal data.

“Personal Data” refers to any information that is used to identify a data subject, alone or with other data, e.g., name, age, phone number, bank details, email, login credentials, IP addresses, location, identification numbers, etc. It also includes ‘sensitive’ data such as information about data subject’s race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sex life, or sexual orientation

“Controller” is any natural person, organization, legal body, or pubic authority that, alone or with joint control (known as Joint Controller), decides why and how to process the personal data.

“Processor” is any natural person, organization, legal body, or pubic authority that processes the data on behalf of the controller.

“Processing” is any set of operations performed on personal data, e.g., auditing, recording, transmitting, storing, collecting, erasing, modifying, profiling, etc.

“Supervisory Authority” is a public authority from the member state who monitors the exercise of data protection regulation to protect the rights and freedom of the data subjects. 

 “Pseudonymisation” is a technique of data processing in a manner that the personal data can no longer be associated with a data subject without the use of additional data. The additional data is kept separately from the pseudonymized data.

To comply with the GDPR standards, the data controllers should strictly adhere to the following principles as established by the ICO:

1. Lawfulness, fairness, and transparency – Personal data should be processed lawfully, fairly, and transparently.
2. Purpose limitation – Data collected should only be processed for the intended purpose.
3. Data minimisation – Only the data required for the intended use should be collected.
4. Accuracy – Data collected should be accurate and kept up to date. Inaccurate data should be erased or rectified without any delay.
5. Storage limitation – Data should not be kept longer than the specified retention period.
6. Integrity and confidentiality (security) – Data collected should be kept and processed safely.
7. Accountability – The data controller should be able to justify that they are complying with the GDPR standards.

Consent is one of the most critical parts of the GDPR standards. The regulation establishes that the controller cannot process the personal data without the data subject’s consent (except in specific circumstances). It puts the data subjects in charge and control of how and what personal data should be processed. Consent must be a) freely given, b) specific, c) informed, and d) and unambiguous. Freely given indicates free and valid choice without any undue pressure put upon the data subject. It should be as easy to withdraw the consent as it was to give it. Specific consent means the controller should specify the exact purpose behind the data collection. The controllers must inform the data subjects of why and how their data will be used by the controller using plain and clear language. Consent must be unambiguous and explicit, and the data processing should be done within the limit of the intended purpose.

In case of seeking consent from children, the controllers should make sure they meet the age requirement; otherwise, obtain parental consent.

The specific circumstances under which the controllers might not require consent are:

1. Contractual basis
2. Legal obligation basis
3. Vital interests of the data subject
4. A public task
5. Legitimate interests basis

If a breach is known to have occurred, the regulation mandates that the controllers and processors should notify the supervisory authority (of the respective EU member states) within 72 hours. If the breach poses a high risk to the rights and freedom of the data subjects, they must also inform the affected data subjects about it and advise an action plan. The controllers must have in place a reliable and effective process to tackle such scenarios.

 If the breach does not result in any risk to the data subjects’ rights and freedom, the controllers need not have to report it to the authority. ICO’s website provides a self-assessment to decide if the breach is risky enough to be notified. 

Data subjects can exercise the following rights, and the controllers should inform them of the same:

1. Right to be informed – Data subjects should be informed about why, by whom, and how their data will be processed, and the intended purpose and source from where they collected the data.
2. Right of access – Data subjects have the right to access their data as well as request a free electronic copy of the same.
3. Right to rectification – Data subjects can ask the data controllers to rectify their inaccurate or outdated data without delay.
4. Right to erasure (Right to be forgotten) – Data subjects can ask for the deletion of their data in case of withdrawal of consent, inaccuracy, unlawful processing, legal disputes, or expiration of the retention period.
5. Right to restriction of processing – Data subjects can ask for restricting the processing of their data in case of withdrawal of consent, inaccuracy, unlawful processing, legal disputes, or expiration of retention period.
6. Right to data portability – Data subjects have the right to ask their data to be transferred back to them or another controller in a commonly used and machine-readable format.
7. Right to object – Data subjects can object to the processing of their data in case of withdrawal of consent, inaccuracy, unlawful processing, legal disputes, or expiration of retention period.
8. Automated individual decision-making, including profiling – Data subjects can ask to use manual methods instead of automated machines to process their data.

The data controllers should respond to the data subjects as quickly as possible, i.e., no later than one calendar month from the day they receive the request. In case the controllers need additional information, the calendar month starts from the day they receive it. In case of complex or multiple requests, the controllers can take a maximum of three calendar months to respond. 

The data controllers may refuse to comply with a request if it is:

a) manifestly unfounded; or

b) excessive.

Manifestly unfounded requests are those where the data subject offers to withdraw the request in exchange of a favor from the controller; or when it intends to harass the controller or its employee(s) or to cause disruption.

Excessive requests are repeated requests (without legitimate reasons) or overlapped requests relating to the same set of data.

However, this depends on the context of the request.

 Following:

• General Data Protection Regulation (GDPR).
• Privacy and Electronic Communications Regulations (PECR). 
• Children’s Online Privacy Protection Act (COPPA)
• California Consumer Privacy Act (CCPA)