General Data Protection Rules

Abstract

We are living in an era where key aspects of our lives revolve around data held about us. The tracking of this data either online or offline, results in the increase of threats like pharming, phishing, and usage of data by third party users (as in Cloud computing) or data brokers. Data is also susceptible to virus or worm attack, political or social manipulation, and improper data profiling. In order to fight back against these threats, one should work with ethics on big data, personal data security, and privacy of data.

Introduction

Growth and advancement in technology has captured the world like a web, where no individual is left uncaught. Collecting and analyzing credit card details and personal information like name, address etc. has led to tremendous increase in data which is stored and utilized for malicious reasons and monetary gain. Therefore, protection of data from unauthorized or unfamiliar access and avoiding data breach, forms a major concern for all businesses and services operating all over the globe. General Data Protection Regulation (GDPR) is an important change in the history of data privacy regulation, considering privacy of data to be a valuable asset to protect and not sell across different sectors. The rule doesn’t govern on data which is processed by an individual for purely personal reasons or any activities carried out at personal space, like home, without any connection to a professional or commercial activity. For example, inviting friends for party from own private address book through email.

GDPR-General Data Protection Regulation and its need

GDPR is an European Union (EU) regulation that governs to regulate personal information of customers by strengthening their rights to control, check, monitor, and delete information which is related to them.

Thus, GDPR is needed to ensure protection and privacy of personal data over the web.

History behind GDPR

Before implementation of GDPR, data protection rules were created across Europe in 1990’s first. In October 1995, Data Protection Directive 95/46/EC was created with the goal of regulating transfer of personal data and also harmonizing data protection laws. In January 2012, an initial proposal for updation of data protection regulation was made by the European Commission. In 2016, European Parliament and Council of European Union adopted GDPR after 4 years of discussion which was started in 2014.

After following a post adoption grace period of 2 years, GDPR became fully enforceable on 25 May 2018 replacing the Data Protection Act.

Who’s covered under GDPR compliance requirements?

GDPR applies to-

• all organizations holding, storing, and processing personal data of EU residents in any form- biographical information, workplace data, health etc., regardless of geographic location of organization.
• It also applies to organizations which offer goods or services to EU residents irrespective of the location (within boundaries or outside boundaries).
• Companies having more than 250 employees.
• Fewer than 250 employees if data processing includes certain types of personal data.

What are key policies to protect customers?

A major focus of GDPR is to have-

• Clearer, concise, simplified, and strengthened conditions of consent from data subjects and also its withdrawal or reverse should be easy way too.
• Compulsory notification of any data breach that may lead at risk the rights and freedom of individuals must be reported within 72 hours of its discovery. Data processors also required to inform their customers.
• Specific protection for children under age of 16 must include parental consent on their behalf to opt in to data collection.
• Imposing Heavy and strong penalties of 4% of global revenue or 20 million euro on serious violations like violation of core privacy etc. Few infractions are less expensive but still carry heavy penalty.
• In order to stick with the basic foundation of “privacy by design” and “privacy of default” better systems and processes must be built keeping in mind protection of data.
• The ‘right to be forgotten’ also called as ‘Data Erasure’ allows the data subject to request erasure of personal data from the controlling entity. The company should give access and copy of your personal data on request. Data Portability allows customers to transfer their data from one service provider to another.
• Appointing Data Protection Officer by data controllers (determines the means and purpose of processing personal data) and data processor (any person who processes the data on behalf of data controller) whose main role is to keep track of all the processing activities performed by the organization involving personal data and advising and assisting processor regarding GDPR compliance.

Impact of GDPR on Europe

Immediate affect of GDPR was seen when the complaint was received within forty eight minutes of enforcement, against US tech companies and social media companies for carrying out unsaid privacy violations thus strengthening customers right to protect misuse of personal data.

Businesses continued to serve their customers, send them emails, collect and store their data on lawful basis respecting the privacy of people and those who want to have their data deleted, as level of awareness among the general public’s perspective has changed. But for some small businesses, cost or expense of making business compliant with new rules and regulations were quite unbearable which in turn led to cutting down on services which were offered to European customers as compared to the other parts of globe.

Ezoic firm conducted a research and found that Ad rates have dropped in Europe since May 25.

According to report from Reuters Institute for the study of Journalism, the average use of third party cookies per page across Europe has dropped 22 percent resulting in delivering a better user experience and faster loading of web sites. Some marketing experts whose organization is GDPR compliant surprised them with the fact that customers are more receptive towards advertisements, thus, having developed trust and loyalty with the organization.

Impact of GDPR on USA

With enforcement of GDPR, US based social network giant Facebook reported a decline of about millions of MAUs (monthly average users) and less impact on DAUs (daily average users) as well as drop in advertising revenue growth and active users within Europe. Having globally connected user base, Facebook asked users to review their privacy settings that whether advertisers can target them based on religious and political views or their sexual orientation. Google changed its privacy policies making it much user friendly and had worked with team of experts to follow GDPR policies. Apple shared details to the customers on the type of personal data it holds on them and introduced service for EU countries (later, all over globe) which allows customer to see data from sign-in history to photos, documents, contacts, etc. and control data by correcting, deleting information or deactivating their account. It is easy for Big Tech giant businesses to comply with the new rule. But small and medium sized businesses who were less prepared were impacted on the grounds of budget.

Many US sites have continued to block European visitors after GDPR came into effect. After GDPR US state California also proposed to give its consumers control over data, starting January 1,2020 Californians can also determine what data if any is collected, sold or shared with third parties.

Impact of GDPR on India

In India, on 27 July, an Indian government committee released the Personal Data Protection Bill of 2018 based on the ruling by the Indian Supreme Court that every individual has the right to data privacy. Job opportunities in Cybersecurity have also increased in cities like Bangalore, Mumbai and National Capital Region comprising majority of IT startups and multinational companies. GDPR opened doors of opportunities for Indian companies in strengthening business with Europe.

Ethics of working with Big Data

Ethics or simple honesty differentiates the right and wrong behavior within a society. In today’s scenario, where business plays an integral part of society, organizations face difficulty to maintain profits and revenues and it is a data driven world, Data Ethics or Big Data Ethics can be defined as study and evaluation of moral problems related to collection, generation, processing, sharing and usage of data, particularly personal data. For example, in retail industry, big data technologies is used to suggest items, give attractive coupons, improve store layout based on customer movement but Tracking movements or shopping habits of customers, saving card details, sending invalid offers and other cybercrimes like bullying, hacking etc. arises questions related to privacy of an individual, degree of transparency in usage of customers data and control over voluminous data. Following principles are defined to form a big data ethics framework for both individuals and organizations-

•  Ownership-Most of the personal data describing individuals like GPS location, Genome data, financial transactions etc. are collected by means of internet services. Thus, Ownership involves determining who owns a digital identity?, who owns data, can rights be transferred and what are the obligations of people who generate and use that data?

GDPR indicates that individuals own their own personal data.

• Privacy-Understanding the extent of usefulness of what data to share, with whom, its purpose and when to share is context of privacy. For example sharing your medical history with doctor with the intent of getting improvement in health is ethically sound and doctor revealing the same patient’s medical history to other doctor for second opinion is also ethically sound, but sharing that medical history with the intent of marketing to agency sounds unethical. GDPR gives right to access and right to be forgotten to protect individuals privacy.
• Identity and Consent-An individual maintaining identity online and offline, thus, providing big data ability to analyze (aggregate, summarize etc.) various aspects of our identity without our participation. Thus, consent for using one’s data plays an important role. GDPR policy of keeping clear, concise and easy to understand consent allows individual or legal entity to use one’s data to the best of their knowledge and consent.
• Transaction Transparency and Openness-It is right of an individual to know how ones personal data is going to be used, what is the purpose of collection and how long will it be stored for. Thus, open or aggregated datasets should be available freely for the purpose of accountability and transparency. GDPR gives individual right to access and get his own data from organization.
• Reputation-Since an individual maintains offline and online identity, big data provides chances to form an opinion about what kind of person you are, even without interacting personally with the person which might affect one’s reputation. GDPR ensures to protect the same.

By collecting and aggregating the required data, identifying and scrubbing personal data, complying with all laws related to personal data, having a plan stating important information and allowing users to choose the data they are willing to share(privacy settings) are few ways in which companies can collect and analyze data in ethical manner without keeping safety and privacy of users on stake.

Conclusion

Authorization, Authentication, Administration, Audit and Data Protection forms the pillars of security for data being controlled over web. According to GDPR organizations must ensure data accuracy and integrity by granting right to access and correction, minimize individuals’ identity exposure by using pseudonymous or anonymous data, process data only for authorized purposes and implement data security measures by adopting right to be forgotten protocols. Just like a coin has two faces, so has been the impact of GDPR-some for better, some for worse. Organizations are working to implement the changes, and few have undergone the changes and operating as per law.

It has still been few months to implementation of GDPR but, its consistent implementation will reduce vulnerability to cyber threats, develop customers loyalty towards organization on concerns of confidentiality and overall increase of security in organization’s data resulting into good business plan. Data has been one of the leading drivers of generating revenues for organization in all sectors, thus, its ethical usage- keeping in mind both the growth of data science and privacy, ownership, identity of individuals and groups is the responsibility of organization. 

Cite this page