Faculty Mentor:
Ms. Priyanka Punyani
Student Name:
Ishita Taneja (MCA-II)
Dipali Aggarwal (MCA-II)
1. INTRODUCTION
“privacy policy has changed” and “just click here so we can stay in touch” are the most common pop-up that we have seen in the recent time while interacting with any online website.
The EU adopted the General Data Protection Regulation (GDPR) in 2016 and it is one of its greatest achievements in recent years. GDPR replaces the 1995 Data Protection Directive which was adopted at a time when the internet was in its infancy and it brings in an evolution on the previous laws. The EU has two years to ensure that it is fully implemented in the organizations by May 2018 i.e. the enforcement date.
2. NEED FOR GDPR
Bringing in GDPR allows us to have a proper right over our data. One of the major aspect about GDPR for user is that they must be informed about the processing of their personal data by the organizations, thus giving the users the right to opt out of data collection and processing.
GDPR consists of 99 Articles. Some of the articles having direct impact on users data are: Art (15) Right of access by the data subject, Art (16) Right to rectification, Art (17) Right to erasure.
We can request to erase our data that is stored on the servers when it’s no longer needed or if we feel that the data is being accessed or used unlawfully.
GDPR also allows us to request access and download our data from the servers that the organizations have stored for processing. Our personal data now truly has our true control!
Figure 1: DATA PROTECTION THROUGH GDPR
3. PENALTIES
Organizations will be fined up to 4% of their annual global turnover for breaking and breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of concepts.
This makes sure that no organization infringes the rules set by GDPR and giving a peace of mind to the user. Users get the power to hold companies to account as never before. If individuals begin to take advantage of GDPR in large numbers, by withholding consent for certain uses of data, requesting access to their personal information from data brokers, or deleting their information from sites altogether, it could have a seismic effect on the data industry. Having the power to actually know that your data is safe within a company is a heavy relaxation.
Almost every companies have started updating their sites to comply with GDPR. Facebook put forward a series of tools to “get people handle more of their privacy”, by unifying its privacy options and building an “access your information” tool to let users find, download and delete specific data on the site. The company also forced every user to agree to new terms of service. Apple revealed a privacy dashboard of its own – although the company proudly noted that, unlike its competitors, it does not collect much personal data in the first place and so did not need to change much to comply. Google took a different tack, quietly updating its products and privacy policies without drawing attention to the changes.
4. GDPR FOR US
Talking about most commonly used app, WhatsApp, one can find the enforcement of GDPR i.e. the ability to download user data by going in WhatsApp->Settings->Account->Request account info. For Instagram we can download and access our data at
Instagram-> user_profile->settings->Data Download. The implication of GDPR allows a full control over what data a server stores. Facebook and Google allows the same to be done.
5. GDPR LAWS
Figure 2: Analyzing GDPR
There are total 99 Articles under GDPR. Common ones are Right to Rectification (Article 16), Right to Erasure (Article 17), Right to Restriction of Processing (Article 18), Right to Data Portability (Article 20), Right to Object (Article 21) etc. Some of them are explained below:
5.1 Right to Rectification: Organizations must ensure that inaccurate or incomplete data are erased or rectified.
5.2 Right to Erasure: With the enforcement of GDPR, the user whose data is being stored/processed shall have the right to obtain from the organization, the erasure of personal data concerning him or her without undue delay.
5.3 Right to Restriction of Processing: If a user doesn’t provide consent for data processing or if the company doesn’t asks for a consent from the user, they do not have the right to process the data. Users are allowed to restrict companies from processing the data by not accepting the consent. If a company doesn’t need the data anymore, they are obliged to delete the data and are restricted from processing any further.
5.4 Right to Data Portability: Users can use their existing data from one company in another company. It allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
5.5 Right to Object: The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. Individuals have an absolute right to stop their data being used for direct marketing. An individual can make an objection verbally or in writing.
5.6 Right to have information corrected: this ensures that individuals can have their data updated if it is out of date or incomplete or incorrect.
5.7 Right to be informed: This involves gathering of data by companies, and individuals must be informed before data is gathered.
5.8 Right to access: Individuals have the right to request access to their personal data and to ask how their data is being used by the company after it has been gathered.
5.9 Right to be notified: If there has been a data breach which compromises an individual’s personal data, the individual has a right to be informed within 72 hours of first having become aware of the breach.
Fig 3: PRIVACY BY DESIGN
6. PREPARATIONS FOR GDPR-COMPLIANCE
There are many things a company has to do in order to be compliant with GDPR. If you have yet to to take the next step towards compliance, here are just a few ways to get started.
1. Map your company’s data
2. Determine what data you need to keep
3. Put security measures in place
4. Review your documentation
5. Establish Procedures for handling personal data
7. DATA BREACH
Any breach made on private data of a user must be reported by the company with in a 72 hour period or else the company has to face serious obligations unless the data stored cannot be retrieved by the thief i.e. there is some access key required and the data is encrypted.
With the application of GDPR companies have started reorganizing their way of work. They all know that they can be fined up to €20 Million and thus cannot risk breaching any rights governed by GDPR.
For us as a user we get to enjoy the true control that we have been looking for from a long time. Users are getting privacy conscious and thus they want to have the full control of their data and here’s where GDPR plays the most important role. Users become more powerful than the company.
8. CONCLUSION
Data is a valuable currency in this new world. And while GDPR does create challenges for us, it also creates opportunity.
The laws make a normal user much more powerful to handle his/her data with proper knowledge. The data always belongs to user and must have a consent from the user before being processed.
GDPR is not applicable on Government, military or any lawful suit and can access personal data. Websites not moving their privacy policies to GDPR can be fined upon infringement and unlawful storing of data.
9. REFERENCES:
1. https://www.eugdpr.org/
2. https://gdpr-info.eu/
3. https://en.wikipedia.org/wiki/General_
Data_Protection_Regulation
4. https://www.superoffice.com/blog/gdpr/