By: Sivarama Krishnan, Leader, Cyber Security, PwC India
In today’s consumer-driven market, an individual’s personal information lies with various organisations and entities.
Consider an individual like you and me. The person, in all likelihood, would:
What all of the above means is that, as consumers, our personal information gets exposed to numerous organisations, both public and private. There have been many instances where this personal information has been used to infringe on individuals’ rights and freedom. Therefore, like any other tangible or intangible item that a person owns and controls, an individual’s personal information and how it is used and handled should also be controlled by the person.
Existing European data protection rules, mainly expressed via the European Union (EU) Directive 95/46/EC, laid out a respectable foundation for the development of data protection regulations by the EU member states. While the framework was comprehensive, considering the time of its introduction (in 1995), it lacked uniformity of data subjects’ rights across the EU and did not provide legal protection from inadequate personal data processing outside of the EU. The EU GDPR replaces the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe to protect and empower all EU citizens’ data privacy and to reshape the way organisations across the region approach data privacy. Some of the key changes introduced under the GDPR that benefit data subjects include:
While the GDPR applies to organisations established within the EU, the scope has been extended to include all companies processing the personal data of data subjects residing in the EU, regardless of the company’s location. The GDPR aims to protect consumer data that will impact business in not only the EU but also the US and the rest of the world.
The conditions for consent have been strengthened. Under the GDPR, consent needs to be ‘freely given, specific, informed and unambiguous’. This means that consumers have the freedom to either choose to provide or withdraw their consent for specific services. For example, a company providing travel services to its consumers shall not be able to deny travel services to its consumers if the consumers do not opt in (consent) or opt out (withdraw consent) from receiving any marketing mailers, subscriptions or newsletters from the company.
The previous EU data protection laws provided data subjects with specific rights to promote transparency and control personal data. However, the current GDPR has expanded the rights of data subjects to the provision of a confirmation from the data controller as to whether or not personal data concerning them is being processed, where and for what purpose, as well as a copy of the personal data, free of charge. This essentially means that consumers have the right to know what personal data about them is collected and how such data is being processed by their service providers.
This provides data subjects the right to receive personal data concerning them from companies in a ‘commonly used and machine readable format’ and the right to transmit that data to another controller. This means that consumers have the right to request their service provider to support portability of their personal data to another service provider when required.
Also known as data erasure, the ‘right to be forgotten’ gives the data subject the right to have the data controller erase his/her personal data, cease further disclosure and also get the controller’s third parties to comply with such requests. For example, if you as a user of a social networking platform are not comfortable with the information about your ethnicity, sexual orientation or preferences being collected or processed, you have the right to withdraw consent and request erasure of such data from the platform and its associated third parties.
The GDPR has also enforced strict regulations for companies to safeguard personal data of data subjects, respect the privacy of data subjects and minimise the risks to the right and freedom of data subjects. Some of the key measures include:
The regulatory liability for non-compliance for companies can exceed 20 million EUR or 4% of the worldwide annual turnover.
Under the GDPR, it is mandatory for organisations to ensure that appropriate privacy and security measures are identified and implemented at every stage of personal data collection/processing. This may include business processes, applications and technical solutions.
One of the key requirements is the breach disclosure requirement, which will effectively require organisations to ‘wash their dirty linen in public’. Under this requirement, organisations have a mandatory obligation to report to data protection authorities any data breach that may pose a risk to the rights and freedom of individuals. Organisations are also required to inform individuals about the steps they should take to protect their data.
The GDPR introduces specific requirements for organisations to carry out appropriate due diligence processes and contractual obligations that need to be agreed upon with third-party vendors to address risks around the misuse or inappropriate use of personal data by these companies.
To conclude, we are already looking at a cultural change where organisations are reaping the benefits of adopting a more transparent approach, giving control of data back to individuals, addressing their rights and essentially building trust with their consumers. As consumers, it means more power and control over our own data and its destiny.