The European Union’s ‘General Data Protection Regulation’: A Giant Leap for Data Privacy

General Data Protection Regulation

With the emergence of the World Wide Web in the late 1990s, the attention of the world’s biggest economies, both developed and developing, shifted from conventional industries.  Factories, mills, and manufacturing alone were no longer the determinants in evaluating the progress of a nation.  Over the next 10-years, the virtual world was strengthened with giants like Facebook, Twitter, and Google, they capitalized on the growing user numbers across the world.  Apparently, this was the next big thing after James Watt’s steam engine, and it had worked wonders.

In the last decade, the world has turned to smartphones, with most active users permanently discarding their conventional desktops and laptops.  Apps for all kinds of utility services have grown in prominence, helping users get any service, virtually, from a wealth manager to a welder. In this entire process, data has been paramount.

Enterprises, corporate establishments, users, consumers, and service representatives, all participate in the data-chain in some way or another.  Some use the data to avail services, and some avail data to impart services.  With such hefty operations in play, where does the security for one’s data lie?

Headquartered in the city of Brussels, Belgium and founded in 1993, the European Union (EU) stood for the ideals of a continent looking to rebuild itself after being ravaged by two World Wars.  Free trade agreements, policy frameworks to assist businesses, and open borders were taken into account to help the economic prospects, and to a larger extent, they worked.  However, the EU took another giant leap towards the future in 2016.

The European Union’s General Data Protection Regulation 

After debates and deliberations that lasted over 4-years, the policymakers in the EU Parliament came to an agreement pertaining to data privacy and regulation, known as General Data Protection Regulation (or GDPR, as it will be addressed from hereon).  Passed on the 14th of April, 2016, it includes all the member states (including the United Kingdom for now) and will be enforced shortly, on the 25th of May, 2018, thus warranting the need for your business to understand the compliance issues involved.

Let us dig into the regulation first.

Replacing the Data Protection Directives 95/46/EC, the General Data Protection Regulation aims to streamline data privacy laws across the European Union, that is for the member states of the EU.  With data privacy becoming a growing concern in a globalized yet virtual world, this regulation will be instrumental in curtailing the misuse of private data and shall help the cause of the virtual consumers.  Measures will be taken to fine the organizations, corporate entities, and business ventures, virtual or physical, unwilling to comply with the GDPR.

Changes Included in the GDPR

  1. Enhanced territorial jurisdiction: One of the major changes to the regulation is that it now extends to companies beyond the European Union. Unlike before, any business using the personal data of the subjects (population) residing within the EU, irrespective of its location or the location where the data is going be processed, will have to comply with the General Data Protection Regulation.  Even if no payments are involved, the regulation must be adhered to.  Alongside, non-EU businesses using private data of the EU citizens will be required to have a representative in the EU.
  2. Penalties and punishments: Failure to comply with the General Data Protection Regulation comes with a hefty penalty, constituting 4% of the company’s annual global turnover or instead, €20 Million Euros (whichever is greater). The punishment will be issued if the company fails to have the required user consent to process the data or if it breaches the other listed privacy design concepts.  Also, it must be noted that the ‘Cloud Storage Services’ will not be exempt from the regulation, and based in EU or not, they will be required to safeguard the data of their users.
  3. User consent: Unlike before, users will be informed about their data, and companies will no longer be able to manipulate the users through extensive terms and conditions cloaked in elaborate legal terminology. The General Data Protection Regulation dictates that user consent must be requested in a language that is simple, easy to understand, and non-technical in order to avoid any conflicts that might occur due to the absence of intelligibility in the law draft.  Apparently, the idea is to make the consent affirmation and withdrawing a simplified process.

Rights pertaining to data in the General Data Protection Regulation

The core area of focus, data, has been given paramount importance in the legislation, and the following data rights have been curated for efficient employment of the regulation across companies processing private data of EU subjects.

  1. Right to access: Unlike before, subjects (population/individual user) can obtain information about how, where, and for what purpose their data is being used. Alongside, the entity controlling the data will have to provide an e-copy of the personal data to the user.
  2. Right to be forgotten: If the user chooses to leave the controller or stop availing their services, or when the shared info no longer serves the purpose, the personal data must be erased, and no dissemination of the data can take place to any third-parties, as discussed in Article-17 of the GDPR.
  3. Notifying breach: In case of a data breach, leak, or hack that compromises user rights, privacy, and freedom, entities and data processors will be required to notify their users/customers within 72-hours of the leak. Any delay would amount to non-compliance.
  4. Portability of data: The new General Data Protection Regulation enables data portability, thus allowing subjects to receive a personal copy of their private data (in case they haven’t been provided) previously shared in a ‘commonly used and machine-readable format’ to share with another entity.
  5. Designing privacy: Efficient data protection measures must be installed to safeguard the private information of the subjects. Data protection measures will no longer be an option or later addition, but an integral part of the information system, as the GDPR dictates.

Brexit and General Data Protection Regulation:

Brexit shook the world last year, when the United Kingdom, after a politically motivated referendum, chose to walk out of the European Union.  The referendum has passed, and currently, companies working across the UK and Europe are struggling to come to terms with the exit.  In this scenario, what lies ahead for the General Data Protection Regulation in relation to Brexit?

Firstly, the United Kingdom initiated Article 50 earlier this year, which means that the process of their exit from the European Union will be complete by 2019.  In the next 2-years, the UK and EU are expected to be involved in extensive and elaborate deliberations pertaining to their future relationship, and given how countless businesses are inter-linked with counterparts in Europe, GDPR will be an integral part of the discussion.

Secondly, GDPR was agreed to in April 2016, and Brexit happened in June 2016.  Even after GDPR’s enforcement in May 2018, businesses in the UK will have to adhere to the regulatory framework until the exiting process from the EU is complete.  Thus, the UK will be a participant in the GDPR framework until 2019 (March-April, subject to negotiations).

Lastly, as of now the authorities in the UK have been quite vocal about retaining the GDPR as a domestic policy for businesses.  Therefore, even after the UK exits the EU, GDPR will either be retained as a policy, or a similar regulation will be drawn up for businesses within the UK.

If the current deliberations and authorities hold any weight, GDPR will not be swayed by Brexit.  If you are a company based in the UK and processing EU subjects’ data, it will make sense to adhere to the GDPR, as it is here to stay, either in its original or a more enhanced form.

Net Solutions and GDPR

In the realm of web and mobile app development, data security is of significant importance.  As a leading developer for mobile and app development across the world and offering a wide array of services which include web and app design, UX/UI Interface Design, Data Analytics, Security, and Enterprise Mobile App Development, along with other services, we understand that global regulations and compliances can be tedious to keep up with, especially for startups, and small and medium enterprises.

For the ones with an existing web and mobile property, and processing data that has its origins in the member states of the EU, the General Data Protection Regulation warrants some urgent upgrades pertaining to data collection, processing, usage, and storage.  As stated above, the location of your business doesn’t matter, and therefore, the compliance is unavoidable.

Starting with this one, in the next few articles, we are going to cover how an enterprise must upgrade their existing web and mobile properties to adhere to the GDPR.  You can also reach out to us if you are looking to upgrade your web and app solutions in accordance with the new rules, or want to build something from scratch.

In an age where data has become a power to reckon with, GDPR is one of the first steps in a significant direction that empowers the consumer, ensures transparency, and hinders data abuse on a global scale. At Net Solutions, our objective will be to help you traverse this path of data regulations without you having to compromise your business growth and aspirations.

Kundan Singh

About the Author

Kundan Singh heads the .NET team at Net Solutions and has over 14 years of experience in Microsoft Technologies. He also heads the Software Engineering & Processes Group at Net Solutions and is responsible for delivering key .NET projects.

Leave a Comment

contact us

Pin It on Pinterest