Latest posts by Aastha Tandon (see all)
- Perils of a Migrant Worker - October 24, 2018
- Can’t You Hear Me? - October 10, 2018
- GDPR: A Comprehensive Data Protection Regulation and its Impact on Individuals and Business Worldwide: Part IV Conclusion on GDPR - May 15, 2018
GDPR is a new data protection regulation which will be implemented from the 25th of May 2018. Part I of this series article explains what is GDPR and why it is needed.
Part I: Introduction to GDPR
We are divided by State boundaries, yet united by purpose or impact. It is difficult now to treat any person, body corporate or country with a singular independent view as events, legislations and discoveries with one invariably causes a ripple effect on others.
With the advent of “Internet of Things” (hereinafter referred as “IoT”) technology, communication, media, business and cultural exchange has grown by leaps and bounds. However, the impact of IoT has also led to some negative impacts such as cyber crimes, cyber bullying, data theft, and easier access to personal or sensitive data by illegal groups and in some cases unethical or negligent practices by established corporate entities.
It was to curb and be prepared for these unforeseen challenges that the European Union (hereinafter referred as “EU”) in 1995 enforced and implemented Directive 95/46/EC of the European Parliament[i] (which is also commonly known as the 1995 EU Data Protection Directive). The 1995 EU Data Protection Directive has now become outdated owing to the speed at which technology has grown, however it has served the purpose. In order to meet the security and processing challenges regarding personal and sensitive data protection of EU citizens, the General Data Protection Regulation[ii] (hereinafter referred as “GDPR”) was formulated.
What is GDPR?
- The GDPR was given assent on 14th April 2016 by the EU Parliament and the date of enforcement of this law was set as 25th May 2018, which is currently only a few days away.
- The purpose of this law is to empower and protect the citizens of the EU from the use and misuse of their personal and sensitive data by another individual or corporate body or entity.
- The GDPR has increased the obligations of a data controller[iii] and a data processor[iv] in order to regulate the security and use of data.
- The key feature of this law is that it has an extraterritorial effect and will also apply to data controllers and data processors located in territories other than the EU.
- It will regulate various industries, such as financial services, insurance, social media companies, etc. In short, it shall affect any industry or business which stores or maintains or processes personal data of EU citizens.
What is Personal Data?
According to Article 4[v] of the GDPR “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
From the above definition, we can infer that any information that helps in identifying or determining a person shall fall under the purview of this law. Therefore, examples of personal data shall include the following social security number (From an Indian context – PAN Card, AADHAR Card information, etc.), race, political or religious interests, gender, biometric information, etc. All such information needs to be obtained only by receiving an informed consent[vi] of the individual (who is the Data Subject) and such data shall be removed from the records as soon as the purpose of obtaining such data has been fulfilled.
However, it must be noted that such personal data recorded during criminal investigation or for criminal records under a legal proceeding or for the purpose of scientific, historical, statistical records or study under the directions of the Government of the EU Member Country may not require the permission of the individual or be removed from the records.
[i] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, https://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:31995L0046 last seen on 26th April 2018
[ii] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC) http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&qid=1490179745294&from=en Last seen on 26th April 26, 2018
[iii] Controller: any entity, public authority, company or person who decides why, how and what data needs to be collected and processed (handled). https://www.whatisgdpr.eu/definitions last seen on 26th April 2018
[vi] Article 4 of GDPR , Paragraph 11 defines Consent as follows: “‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” https://gdpr-info.eu/art-4-gdpr/ last seen on 26th April 2018