The European Union’s General Data Protection Regulation (GDPR) is one of the most significant pieces of legislation in any sector that has been enacted in recent years. Since its enforcement in May 2018, the GDPR has already seen a critical transformation in the way that various organizations store, handle, and process user data. We’ve provided an overview of the GDPR and some of its key features in an earlier post, which can be seen here. In this post, we’ll be examining some of the key features of the GDPR in greater detail.

Definitions

Before we dive into the features of the GDPR, it’s important to clarify a few terms which are used throughout the GDPR in order to provide better context.

  1. Data Subject: A data subject is an end-user or customer whose data is being stored, handled or processed. By definition, a data subject has to be a natural person who can be identified from the user data provided.
  2. Processing: In the context of the GDPR, processing refers to any operation or set of operations performed on personal data (including by automated means). This includes collection, recording, alteration, storage, retrieval, transmission, erasure, destruction, and use of personal data.
  3. Data Controller: A data controller is any natural or legal person which determines the means and purposes of data processing.
  4. Data Processor: A data processor is any natural or legal person which processes personal data on behalf of the data controller.

For example, consider a situation where a marketing company collected data from a survey (the participants in the survey being data subjects), and used that data to send promotional emails to certain participants via a third-party automated email platform. The marketing company would be the data controller, and the email platform would be the data processor.

Key Features of the GDPR

As mentioned earlier, the GDPR imposes a number of strict obligations on data processors and controllers, ostensibly with the view to make customer-friendly decisions and practices. This is reflected in the major changes introduced by the legislation, which have been detailed below:

Jurisdiction

As mentioned in our previous post on the GDPR, the regulation applies to the processing of personal data by controllers and processors in the EU, regardless of whether the processing actually takes place in the EU or not. It also applies to controllers or processors which are engaged in the processing of personal data of data subjects in the EU, if the activities relate to: offering goods or services to EU citizens/residents, or monitoring of any behaviour that takes place in the EU.

The GDPR also mandates that non-EU businesses must appoint an EU representative if the GDPR apply to them. Exemptions for this requirement are granted if the controller/processor can show that their data processing is occasional, or does not cover sensitive personal data.

For example, an Indian E-commerce website selling goods to EU citizens is required to have an EU representative; however an Indian company offering cloud storage solutions to EU companies is likely to obtain an exemption as it is only offering its services to legal persons (which are not considered data subjects), even if it may come into contact with the data of some EU citizens.

Rights of Data Subjects

A recurring theme in the GDPR is the importance given to consumer rights. Under the GDPR, data subjects are entitled to the following protections:

  1. Data controllers must obtain the express consent of data subjects to store, handle, and process their personal data. Further, data subjects must also be able to easily withdraw the consent provided. In the event that the data of minors (<16 years) is being collected, the consent must be obtained from the parent/guardian.
  2. A controller must provide data subjects with details as to whether their personal data is being processed, where such processing is happening, and the purpose of such processing.
  3. Data subjects may request the controller to erase, cease further dissemination, or halt further processing by third parties of their personal data (this is also referred to as the Right to be Forgotten). However, this right comes with the caveat that the data controller must compare the subject’s rights to the “public interest” in the said data being made available.
  4. Data subjects may obtain (free of charge) within one month of request, a copy of all personal data which has been processed by a controller.
  5. Data subjects may request the data controller to provide all previously provided personal data in a “commonly used machine readable format” and may then transfer the same to another data controller.
  6. In the event of a data breach where such breach “is likely to result in a risk for the rights and freedoms of individuals”, data controllers are required to notify data subjects of the same within 72 hours of first becoming aware of the breach.

Obligations on data controllers/processors

In line with the theme of consumer protection, data controllers/processors have a rather strict set of obligations imposed on them under GDPR. This includes:

  1. Most relevant to the Indian context are the restrictions placed on exporting of personal data. Under the GDPR, personal data cannot be exported outside the European Economic Area unless the export jurisdiction has been certified by the European Commission to have appropriate data protection measures, or specific export mechanisms have been put in place (for example – model contract clauses which have been approved by the Commission).
  2. The consent granted to collect data is use-specific, meaning that data collected during (for example) an e-commerce transaction cannot be used in marketing/promotional materials without obtaining a separate instance of consent from the data subject for marketing purposes.
  3. Any data collection consent notice must contain the exact reason for collection of the data, the period for which the data will be collected, and
  4. Data controllers are obligated to ensure that personal data is protected even if the data is being transferred to a third-party. This means that the controllers are accountable for a data breach even if there is a violation of the Regulation by a third-party processor.
  5. A key element of the GDPR is “Privacy by Design”. This means that systems and processes have to be built from the ground-up to ensure that the privacy of personal data is retained. This philosophy also means that there is an implication of data minimisation (i.e. that only personal data which is absolutely necessary for the stated purpose is collected). The GDPR mandates that both data controllers and data processors need to take appropriate measures and install systems to protect personal data.
  6. Data controllers and processors are required to conduct a Data Protection Impact Assessment when initiating a new project, product, or service. The Assessment must also be carried out when a significant change (such as a new process, or change to an existing process) is introduced with respect to the manner in which personal data would be processed.
  7. Controllers and processors are required to keep detailed internal records of all data processing activities that take place.

Data Protection Officers

Under the GDPR, any controller or processor whose primary business involves around the regular and systemic monitoring of data subjects on a large scale; the processing of sensitive personal data; or data relating to criminal convictions and records, must appoint a Data Protection Officer (DPO) who would ensure that the organization is in compliance with the GDPR. The DPO must be an expert in data protection law, and may either be a staff member or an external appointee. Further, the DPO must report directly to the top tier of management, and must be provided with all necessary resources to carry out their tasks. The DPO is also required to be neutral and therefore must not be assigned other responsibilities which may cause a conflict of interest.

Penalties

As we briefly mentioned in our earlier post on the GDPR, the most significant change with the Regulation are the strict penalties imposed on violators. Minor offences (such as not maintaining proper records, failing to notify breaches within 72 hours, or not conducting Impact Assessment) would attract a fine of 10 million € or 2% of global revenue, whichever is higher. Serious breaches such as not having sufficient consent to process data would attract fines of 20 million € or 4% of global revenue, whichever is higher. These strict penalties (and the inclusion of a revenue-based penalty) means that even large corporations such as Amazon or Facebook cannot afford to ignore the requirements of the GDPR.

It’s clear from the above features that the GDPR is a welcome step towards ensuring consumer interests are given the highest priority. The obligations placed on processors/controllers would also go a long way in ensuring transparency and accountability, as well as the security and integrity of personal data. The spectra of strict penalties also is welcome, as corporations cannot afford to compromise on meeting their obligations under the Regulation. In our next post on this topic, we’ll be looking at the impact that GDPR has had in the Indian context.