Introduction:

The General Data Protection Regulation[1] (hereinafter referred as ‘GDPR’) aimed at the protection of the personal data of the persons residing in the European Union (hereinafter referred as ‘EU’). This regulation is being brought into force for superseding the Data Protection Directive.

Implementation date:

The GDPR shall be effectively implemented from May 25, 2018.

What is personal data?

Article 4 of the GDPR defines Personal Data as ‘any information relating to an identified or identifiable natural person. The definition broadly covers everything small detail through which a person can be identified like: name, address, telephone number, photos, email id, IP addresses, cookies, genetic data, and biometric data (hereinafter referred as ‘personal data’).[2]

Scope of GDPR:

GDPR will have a wider reach as compared to any other data protection regulations around the world. Article 3 specifies that ‘the regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not’.[3]

In simple words, the scope of GDPR would include every company, public organization and charity, existing in European Union, irrespective of nationality.  If any of the above organization is collecting storing or processing personal data of any individual residing on European soils, both citizens and non-citizens, will come under the ambit of GDPR. Even the service data providers, from example Cloud Service providers, who store or process data for any of the above mentioned organizations will also have to follow specific compliance obligations mentioned under GDPR. 

Consent:

Consent cannot be assumed. Under this regulation it is mandatory to take consent in specific manner and cannot be obtained in manner which is inexplicable to a person not proficient in the field of law or technology for example, in case of click wrap agreements.

The individual/ organization collecting data (hereinafter referred as ‘data controller’) should:

  1. Establish that the consent to obtain the personal data was provided by the concerned person.
  2. Such data controller shall also provide the opportunity to withdraw consent so obtained should also be easily accessible.

Even if a data controller has obtained such express consent prior to implementation of GDPR it would be required to ensure compliance to GDPR. It is expected that express GDPR consent forms are likely to be signed with the companies with its clients so that express consent compliance can be made.

Children’s data:

Personal data of children can prove to be more sensitive in nature in certain circumstances especially when they interact over the internet. Therefore, the parent or guardian or such other person that holds "parental responsibility" of a child below the age of 16 years, shall act on behalf of the child for the purpose of providing or withdrawing the consent. The GDPR also provides that the age limit of 16 years may be lowered by the member state however, it must be noted that such a limit cannot be lower to 13 years.[4]

Penalty:                                                               

The GDPR provides that it shall be obligatory for any company collecting, storing or processing the data of residents of Europe to inform the concerned data protection authority regarding any kind of data breach within 72 hours of it being known. In such a circumstance where the information about the breach has not been duly informed to the data protection authority then a penalty of higher of 4% of global turnover or €20 million that be levied from such company.[5]

Implications:

  1. The GDPR will warrant that the companies collecting, storing or processing the data of residents of Europe shall be doing it only for the precise and legitimate purposes as conveyed.
  2. The GDPR shall lead the individuals to realize the importance of protecting their personal data. This is expected to ensure the protection of right to privacy of EU residents while interacting with such data controllers.
  3. The GDPR will also make the companies accountable to expressly convey why the personal data is being collected and how such collection is done. 
  4. Apart from data collectors, service provider companies which process the data of clients will now be required to be GDPR complaint. Thus, such existing service provider companies who have been in the industry for long will also be required to obtain express consent from their clients.
  5. Since the penalty under GDPR for not informing about the breach  can be levied on the global turnover, this is expected to influence the operation of companies with multi-national presence.