Approved and adopted by the European Union (“EU”) Parliament in the April of 2016, the General Data Protection Regulations (“GDPR”) shall come into force in May 2018 after the passing of a two year transition period. GDPR regime has been primarily enacted to ensure a uniform blanket legislation governing the security of data of all members of the EU. It seeks to replace the Data Protection Directive of 1995 (“Directive”) and bring in force stricter parameters of consent, the concept and mandate of portability of data, and a special ‘right to be forgotten’. A welcome sight, the implementation of GDPR will dramatically reduce the burden of registrations by multinational enterprises.
Consequent to its enforcement, the participating states of the EU would not need to legislate on data protection and governance on a national level any more. Furthermore, any entity across the globe that markets its products or services to the residents of the EU shall be subject to GDPR regime. Thus, the far-reaching implications of the blanket law will have ensure that there is consistency in legislation and no grey areas exist for manipulation contrary to what has been noticed recently. The United Kingdom, post Brexit, is not mandated by law to implement the GDPR regime; however, the government has affirmed its stance of imposing equivalent and alternative legal mechanism consonant to the scheme of GDPR.
Other than providing an impetus to the online market place, the GDPR also impose harsh penalties on non-compliance. Any entity found to be in violation of the GDPR regime may be held liable to shelling out penalties up to 20 million Euros or 4% of global annual turnover, whichever may be higher.
The entire refurbishment of law is based on the newel of personal data as defined under the European law. Thus, it would be pertinent to reproduce the definition as stated under Article 4(1) of the GDPR for the sake of clarity and purpose. The proposed Regulations define ‘personal data’ to be “any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.” The Concept of Sensitive Personal Data remains primarily unchanged with the proposed regulations under Article 9(1) also defining the said to be “any personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data.” The Data associated with criminality and convictions are addressed separately under the proposed regulations. Although the GDPR makes minor changes to the definition of ‘processing’ by adding the terms ‘structuring’ and ‘restriction’ to the definition as prescribed by the EU Directive, it does not channel into a major difference in practical implementation.
The proposed regulations are replete with nuanced intricacies, and the summarization of which would require a long checklist; however, conforming to the following steps will definitely ensure that you are not stepping into the line of fire:
It is advisable to create and expansive record of the personal data presently being held, its source of origin and with whom it has been shared. For the said purpose, it is important that one is very careful while documenting such data as any slip up may lead to the violation of GDPR. Consequently, an information audit across the enterprise, both horizontally and vertically, is recommended for ensuring compliance with the proposed regulations. The underlying hypothesis to the audit is linked to the objective of the GDPR prima facie as the GDPR intends to update the trackers for a better networked and transparent world. Hypothetically, if you have shared inaccurate personal data with another organization, it is your duty under the Accountability principle of the GDPR to apprise the said organization of such inaccuracy. Unless an audit is performed, it is unlikely that the personal data can be properly documented in consonance with the requirements of the GDPR.
Although the enforcement of the GDPR may seem far off, it does not amount to a space for laxity for anyone conducting their business in the EU. Evolved to create transparency and confidence in the conduct of online services, both outbound and inbound, the GDPR in all practicality makes the protection of personal data a fundamental right of the citizens of EU. It is predicted that such a transition will lead to a booming electronic marketplace. However, on the downside, it also acts an additional burden on the relevant entities to collect data in the specified manner. Consequently, it is high time that the top management prioritize cyber readiness to comply with the hygiene standards that GDPR is advocating.
 Data Protection Directive, 1995, 95/46/ec