In today’s consumer-driven market, an individual’s personal information lies with various organisations and entities such as smartphones, smart devices and wearable technology, social media account, e-commerce service providers, bank account, insurance account, income tax authority and much more. What all of this means is that, as consumers, our personal information gets exposed to numerous organisations, both public and private.
There have been many instances where this personal information has been used to infringe on individuals’ rights and freedom.
Existing European data protection rules, mainly expressed via the European Union (EU) Directive 95/46/EC, laid out a respectable foundation for the development of data protection regulations by the EU member states. The EU GDPR replaces the Data Protection Directive 95/46/EC and is designed to harmonise data privacy laws across Europe to protect and empower all EU citizens’ data privacy and to reshape the way organisations across the region approach data privacy. Some of the key changes introduced under the General Data Protection Regulation (GDPR), that benefit data subjects include:
Wider scope: While the GDPR applies to organisations established within the EU, the scope has been extended to include all companies processing the personal data of data subjects residing in the EU, regardless of the company’s location. The GDPR aims to protect consumer data that will impact business in not only the EU but also the US and the rest of the world.
Consent: The conditions for consent have been strengthened. Under the GDPR, consent needs to be ‘freely given, specific, informed and unambiguous’. This means that consumers have the freedom to either choose to provide or withdraw their consent for specific services. For example, a company providing travel services to its consumers shall not be able to deny travel services to its consumers if the consumers do not opt in (consent) or opt out (withdraw consent) from receiving any marketing mailers, subscriptions or newsletters from the company.
Right to access: The previous EU data protection laws provided data subjects with specific rights to promote transparency and control personal data. However, the current GDPR has expanded the rights of data subjects to the provision of a confirmation from the data controller as to whether or not personal data concerning them is being processed, where and for what purpose, as well as a copy of the personal data, free of charge.
Data portability: This provides data subjects the right to receive personal data concerning them from companies in a ‘commonly used and machine readable format’ and the right to transmit that data to another controller.
Right to be forgotten: Also known as data erasure, the ‘right to be forgotten’ gives the data subject the right to have the data controller erase his/her personal data, cease further disclosure and also get the controller’s third parties to comply with such requests.
The GDPR has also enforced strict regulations for companies to safeguard personal data of data subjects, respect the privacy of data subjects and minimise the risks to the right and freedom of data subjects. Some of the key measures include:
Enforcement and liabilities: The regulatory liability for non-compliance for companies can exceed 20 million EUR or 4% of the worldwide annual turnover.
Privacy by design: Under the GDPR, it is mandatory for organisations to ensure that appropriate privacy and security measures are identified and implemented at every stage of personal data collection/processing. This may include business processes, applications and technical solutions.
Breach notification: One of the key requirements is the breach disclosure requirement, which will effectively require organisations to ‘wash their dirty linen in public’. Under this requirement, organisations have a mandatory obligation to report to data protection authorities any data breach that may pose a risk to the rights and freedom of individuals. Organisations are also required to inform individuals about the steps they should take to protect their data.
Use of third parties: The GDPR introduces specific requirements for organisations to carry out appropriate due diligence processes and contractual obligations that need to be agreed upon with third-party vendors to address risks around the misuse or inappropriate use of personal data by these companies.
To conclude, we are already looking at a cultural change where organisations are reaping the benefits of adopting a more transparent approach, giving control of data back to individuals, addressing their rights and essentially building trust with their consumers. As consumers, it means more power and control over our own data and its destiny.
Sivarama Krishnan is leader, cyber security, PwC India