In the celerity of digital age, data has assumed a value more precious than jewels. One’s financial as well as social integrity could very well be compromised if there was a breach of their confidential data. Therefore, to be able to regulate the privacy, protection and export of data of citizens belonging to European Union (EU) and European Economic Area (EEA), GDPR was introduced. It facilitates control of every citizen over his/her personal data. GDPR also eases the operation of international businesses by unifying the regulations for data security in entire EU .
GDPR is in action from May 25 th , 2018 onwards. A set of similar regulations known as the Data Protection Directive (DPD) was in action previously. However, over time numerous shortcomings were identified in it. GDPR was developed with a vision to address all the shortcomings of DPD. Also, GDPR is more specific and detailed in some areas. It has been engrained with sufficient dynamism to react to rapid developments in the world of digital technology. The most striking feature of GDPR is its demanding nature owing to its comprehensive transparency essentials.
Why is it needed?
It is understandable that in order to perform their operations, corporations will require access to data of relevant citizens. The corporations can then process that data to carry out their business, however they may also have to store some of the data. It is imperative that the way these corporations process and store user data be monitored. The first and foremost thing to be ensured is the documentation and lawfulness of the data processing performed by these corporations. Secondly, the security measures to prevent any breach and proper agreements to regulate the usage of data must also be in place. Therefore, GDPR is highly relevant as it ensures vigilant security of data of EU citizens and makes sure that the corporations handling that data are responsible enough to prevent misuse.
Structure of GDPR
Let us briefly discus the defining characteristics of GDPR to be able to understand it better. The very principles on which it is based are pruning of unnecessary data collection, erasure of data that is no longer required, obstruction of unauthorized access to data and protection of data throughout its undertaking . Some of the core requirements which guided the constitution of GDPR are described below:
I) Privacy by design (PbD): It has always been key to data regulations in EU. Its function is to ensure minimal data collection and requirement of user’s consent for processing of any data.
II) Right to Erasure and to be forgotten: It has been demanded by users since the days of DPD. It ensures a valuable yet controversial right of any individual who wishes not to be listed in public view. It is applicable to data uploaded on the internet as well.
III) Breach Notification: It ensures the notification of data authorities within 72 hours of a data breach by the corporation responsible for handling of data. The customer may also be intimated, but only if the data breach poses a high risk.
IV) Data Protection Impact Assessment (DPIA): Before any corporation processes the private data of an individual, it will have to assess the risks to the privacy of that individual.
V) Extraterritoriality: It mandates the bindings of GDPR on even those corporations which are physically not present in EU, but have accessed private data of EU citizens via the internet.
Overall, it can be said that data security has primal importance in information age. Transparency in data handling by corporations not only ensures freedom of the users, but also cultivates a sense of trust in the capitalistic ecosystem. Hence, a practical and considerate set of guidelines such as GDPR will instill positivity and promote fearless growth of technological advancements.
Author: Yogesh Prasad
Ethical Hacker, Information Security Consultant, Entrepreneur, Founder – Hackers Interview