Well with everyone talking about GDPR, you are very likely to stumble on some mention of GDPR at some point while browsing the internet. So, I explain GDPR on a high level using some questions.
What is GDPR?
GDPR stands for General Data Protection Regulation which is a part of European Commission's plans for 'data protection reform' across Europe. Simply put, GDPR aims to give EU citizens more control over their personal data.
When does it come into effect and who does it apply to?
It will come into force on May 25, 2018. All the member nations are expected to have transferred it to their own law by May 6, 2018. GDPR besides applying to organizations operating within the EU will also apply to those who offer goods or services to in EU irrespective of where they are located. This means that any big organization will have to be GDPR compliant by May 25 or else face fines.
What does GDPR bring to the table for a day-to-day user?
It will come into force on May 25, 2018. All the member nations are expected to have transferred it to their own law by May 6, 2018. GDPR besides applying to organizations operating within the EU will also apply to those who offer goods or services to in EU irrespective of where they are located. This means that any big organization will have to be GDPR compliant by May 25 or else face fines.
What does GDPR bring to the table for a day-to-day user?
- GDPR compliance
- personal data should be gathered legally under strict conditions.
- Those who collect and manage this personal data will be required to protect it from misuse and exploitation along with respecting the rights of the data owners
- Notification of data breach/hack
- Besides the right to know when and where is a user's data being used for, the organization is also required to inform the concerned nation bodies in case of any data breach (which can lead to loss of privacy) so that EU citizens can take appropriate steps to prevent data from being abused.
- This notification must be sent out within 72hrs of the organization first becoming aware and if the breach is serious the user/customer must be informed without "undue delay".
- Right to be forgotten
- A user can have his data deleted provided there is no ground for retaining it.
- This also means that company will have to keep track of entire information graph (what information has been collected and where is stored and being used) of the user and must also provide it to the user upon request.
Now, the part we haven't talked till now are the consequences of being non-compliant. So, this brings us to our next question.
What are the fines for non-compliance with GDPR?
These fines are by no means small. They can be rather extremely high. The organization may have to shell out as much as 4% of annual global turnover or 20 million euros(whichever is greater) for violations like unauthorized transfer of personal data, failure to put in place procedures for or ignoring user's access requests for their data. For violations like failure to report a data breach, failure to build privacy by design and ensure data protection itself is applied at the first stages of the project and/or failure to appoint data protection officer(if applicable), the fine is 10 million euros or 2% of annual global turnover.
These fines are by no means small. They can be rather extremely high. The organization may have to shell out as much as 4% of annual global turnover or 20 million euros(whichever is greater) for violations like unauthorized transfer of personal data, failure to put in place procedures for or ignoring user's access requests for their data. For violations like failure to report a data breach, failure to build privacy by design and ensure data protection itself is applied at the first stages of the project and/or failure to appoint data protection officer(if applicable), the fine is 10 million euros or 2% of annual global turnover.
Privacy by Design
I find privacy by design very interesting topic with huge potential to help preserve the privacy of the users. Article 23 (of GDPR) calls for controllers (data collectors and processors) to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing. The idea is to control access to data, or collect minimal data but these approaches don't go well in certain cases like when data breaches occur and servers are hacked as the malicious party has access to the data which can then be used for harmful purposes. Also in certain cases using additional information available like voter records, mortgage records etc. can be linked to an individual and reveal a lot of information which can lead to loss of privacy.
However, there is a somewhat orthogonal study about preserving the privacy of the user by collecting data in the privacy preserved manner rather than taking steps at a later stage to protect data in order to preserve the privacy. For applications, where the methods to collect data in privacy preserved manner can be used they have a huge advantage. In case of data breaches or models released to the public, the data cannot be linked to a particular user and inverse attacks to extract information regarding an individual can be avoided. More on this in sometime later in another blog post.
Conclusion
I believe collecting data in a privacy preserved manner wherever possible certainly has its own advantages as now you don't have to worry about data breaches (and subsequent use of data thereafter as it's not possible to link a single record to a specific user with certainty. For other cases where there is no workaround for some information, GDPR will definitely put users in more control by giving them rights to know when their data is being collected, where it is being used for, where and how is it stored and right to get their data erased if they want. Also, the organizations will now be legally accountable for any misuse of personal data or carelessness on their part to protect user's data with severe consequences if they fail to do so. All in all, GDPR will certainly be a welcomed move from a user's perspective.
More information about the GDPR regulation can be found at this link.