The mark of 2018, an alarming beginning for most of the organizations today. On one hand, some are ready to welcome the new Data Protection Regulation: EU-GDPR while some are still struggling to understand what it really is and how it is different from general data protection laws.
GDPR is like a double-edged sword which has made companies to re-look into their data protection practices. Now the question in minds of many is
Why a European Regulation GDPR has become an alarming Regulation for Companies across the Globe?
The answer to this lies in the significance that EU-GDPR has and how it differs from other data protection laws. This post will help you understand the most talked about topic: EU-GDPR, and how it stands in isolation against all other data protection laws.
What makes EU-GDPR different?
EU- GDPR is the new General Data Protection Regulation for the European Union. Every country today has their own data protection laws and yet EU-GDPR has attracted attention from all the parts of the world. The regulation complements as well as supplements most of the data protection practices today.
Let’s get insight to the regulation and see how it really differs:
1. EXTRA-TERRITORIAL JURISDICTION
Countries today are sovereign and are bound by their own laws and regulations. None can impose its laws upon other country. A very interesting thing about EU-GDPR is its extra-territorial Jurisdiction. The regulation does not expressly claim its jurisdiction beyond EU but implies it by taking into its ambit all the organizations who serve EU citizens. It is not only applicable to establishments based in European Union but also to all those companies that either sell goods or offer services to EU Citizens even if not established in EU. To put it into simple words, if you are an Australian company, have no base in any member country of EU but citizens in Europe can avail your services through your website operational in their country, you are still bound by General Data Protection Regulation.
2. REGULATION AND NOT A DIRECTIVE
It is very important to understand how regulation differs from a Directive.
A directive is an aim or a result that the union wants to achieve and the member states make their respective national legislation to achieve the said result or aim. It is the discretion of the member states to decide what to do, how and when to achieve the objective of the directive. Every member state may have different laws upon the same subject and enforce it at different times, depending upon their preparedness.
In case of a regulation, it has a legal binding on the member states as it is and comes into force on a set date decided under the regulation itself. It is binding on all the member states to comply to the regulation from the date of its enforceability. GDPR is a regulation that all member states of EU need to comply with or to say, shall be enforced from 25th May 2018 and non-compliance beyond that day shall result in penalty. Since it has extra-territorial jurisdiction, all the companies doing business in union need to comply to the GDPR by 25th May 2018.
3. REGULATION THAT EMPOWERS DATA SUBJECTS
Most of the data protection laws today lay obligation of companies to protect data and talks of their duties and liabilities. It is more organization concentric. The companies still had monopoly over the data they collect. GDPR is one of its kind to expressly recognize and state rights of the data subjects. It empowers users and gives them control over their data entirely. A few of the empowering rights recognized under GDPR:
- Right to access: A data subject can any time access its data with the organization and may update it at its will.
- Elimination of access fees: Any cost incurred for accessing the information shall not be borne by data subject, rather will be on the organization to ensure free access to the data subjects.
- Right to be forgotten: An individual has right to get his entire personal data erased. In such a case, the organizations will have to erase the personal data of the individual from even any data back-ups to ensure that the data is completely deleted or that the data subject is “forgotten” and can’t be restored.
- Right to deny Processing: A data subject can anytime withdraw its consent of processing personal data. On happening of such withdrawal, organizations will immediately have to stop all the data processing activities over the data of the said data subject.
- Right to Data Portability: Any point in time, a data subject may want to move to a competitor for services, and has right to get its personal data ported safely and free of cost from present organization to another. The organizations will have to bear the cost of portability.
- Right to deny Analytics: Data subjects are also empowered to deny an organization for evaluating them by automated processed or using analytics over their personal data. Earlier, organization could analyze the personal data of the individuals, evaluate them and offer services. Now, it is in the hands of the data subject to allow or deny such analytics.
- Right to know about a breach: Data Subjects have the right to know in case any personal data has been breached. The controller has the obligation to inform the data subject about data breach, the extent of such breach, consequences, etc., within 72 hrs. of first having become aware of it.
4. PENALTY THAT CAN MAKE BUSINESS GO BANKRUPT
Non-compliance can make a lot of companies to either go down or become bankrupt since the penalty for non-compliance can be maximized up to 4% of the Annual Global turnover or 20 million €, whichever is greater. If a company is unable to demonstrate compliance or that processing was consented, it can be fined for non-compliance.
5. A REGULATION WITH CAPABILITIES OF SETTING GLOBAL STANDARDS
Due to globalization and increased International business, there are rare or no chance that companies in any part of the globe would not have any business in the entire EU. Due to extended jurisdiction of GDPR, all the companies will also be bound by GDPR to continue their business in EU. Nations will also have to bring in laws which are consistent to GDPR to continue and discharge their trade related treaties with EU and its member states.
6. A MANDATORY DATA PROTECTION OFFICER
Companies that regularly process personal data or special category of data will have to employ a dedicated Data Protection Officer for all its data protection practices and compliance.
The regulation has brought new horizons to prevailing Data Protection Laws and has become the new face for them. The entire globe will see a radical shift in data protection practices post enforcement of EU-GDPR. It is high time when companies across globe, and even nations start taking proactive measures to comply to GDPR.
In our next post, we will help companies comply to the Regulation, till then, stay connected.
Keep Protecting! Happy Processing!