In this article you will learn about the complete history of GDPR and also understand “How GDPR protects the privacy of the individual?”
1. History About GDPR:
So, first, we need to understand why we need these laws in the first place and after that how these laws change over time and what difficulties came across regarding the privacy of an individual.
It all started at first in the latter half of the 20th century. As more and more personal data is being collected and processed. Due to the increase in data processing, concerns began to arise about the misuse and abuse of the potential data. So, many countries started to define laws according to their needs. In the early 1970s, countries including Sweden, Germany, France, and the United States started defining laws regarding privacy concerns. However, it is important to keep in mind that the laws opposed by these countries regarding the privacy protection of data were focused primarily on data protection by government agencies rather than private sectors.
1.1 First protection law and how it evolves ?
So, the first protection law that covers both private and public organizations is the Data Protection Act (DPA) which was introduced in 1984 in the United Kingdom to regulate the processing of personal data.
As technology processed and the internet was invented. The concern of privacy arises, EU understands the need for modern protection and purposed the Data Protection Directive in 1995. The Data Protection Directive established the common framework for data protection and ask member states to implement their own data protection laws that were consistent with DPD.
As the Data Protection Directive was introduced it rapidly increases data collection and processing, particularly online. So, it is when the need arises to protect the individual’s privacy as they do not fully aware of the consent of their personal data or are forced to give consent to access the particular service. Also, DPD is implemented differently in each EU member state, so there were variations in how they were enforced. That’s why there was no strict law against violation as it also varies accordingly.
Due to the increase in the use of the internet, more and more data become available and the concerns regarding the protection and processing of data also increase. Like, in 2006, Facebook is opened for the public to use. In 2011, a user of the company Google sued the company for scanning her emails.
Due to these challenges, the European Union decided that they need a comprehensive approach regarding the protection of data. So, they proposed the General Data Protection Regulation (GDPR) in 2016 and it completely replaces the DPD in May 2018 after getting approved. This law provides more clear and straightforward steps and provides the individual with more control over their personal data.
2. What is GDPR?
As we know, General Data Protection Regulation (GDPR) is a privacy law across the European Union which were proffer in April 2016 and went into effect in May 2018. Which replaces the Data Protective Directive of 1995 also purposed by the EU. It expands the privacy right of the individual and provided them more control over personal data. Its the first law which protects the privacy of individual and give the individual more control over it.
3. What is the purpose of GDPR?
The purpose of GDPR is to protect the privacy of individual and also the usefulness of the data at the same time. It creates a balance between the protection and the utility of the data. Like, being strong enough to protects the privacy of the individual and also flexible enough to keep the data useful.
4. How GDPR protects the privacy of the individual?
General Data Protection Regulation (GDPR) is a comprehensive data protection law that aims at providing privacy to individuals within the European Union. Following are some of the ways in which GDPR protects the privacy of individuals:
4.1 Consent:
General Data Protection Regulation (GDPR) requires that organizations have to take clear and informed consent from the individual before sharing, collecting, or using their personal information. This means a person has to be fully aware that how their information will be used and for what purpose it is to be collected and who can access this data. Without the consent of the individual, a company cannot use or process the information and in case of not obeying this a company can be charged heavy plenty.
4.2 Right to access:
GDPR provides a full right to individuals to access its data and also can obtain a copy of the data without any charges. Individuals can also request to change or modify their data if not corrected. In this way, an individual can have more control over their data and can also have a clear view of what data they are keeping.
4.3 Right to object:
GDPR provides the person the right to object, relating to his/her personal situation and the organization has to obey the consent of the person. After that, the organization will no longer process the data until it satisfies the person.
4.4 Right to erasure:
GDPR also provides individuals the right to request the deletion of the data. A company is bound to the individual’s consent. If the data is no longer necessary individual can request the deletion of the data.
4.5 Data Minimization:
Data minimization means that data controllers have to limit the amount of data they require which means only collecting data that is necessary. GDPR binds organizations to collect and process the minimum amount of data that is only required to fulfill their purpose. This means the organization is not allowed to collect unnecessary data and also delete the data which is no longer needed.
4.6 Data Security:
GDPR asks companies to use necessary security ways to protect the data of the individual by using different techniques like encryption, assessment control, and regular security assessments. This is the trickiest part and also the most important one as all the data is stored on a medium that is not protected and organizations try their best to protect the data from unauthorized persons like hackers.
Following are the data security measure that GDPR asks organizations to follow:
4.6.1 Pseudonymization and encryption:
GDPR encourages organizations to implement security to protect the data like pseudonymization and encryption. Pseudonymization is a process of replacing the actual record which can identify the person with the pseudonym. For example, John is the patient in the hospital so the hospital applies pseudonymization to replace john with a pseudonym like Patient A, B, etc. also the hospital keeps the mapping table in the database which is only accessible by authorized persons. Whereas encryption involves encoding the data that is only read by authorized persons.
4.6.2 Access Controls:
GDPR requires controllers and processors (organizations) to use access control to limit the access of data to only specific persons who are authorized. It could be based on job roles or multifactor authentications.
4.6.3 Regular Security Assessments:
GDPR requires the organization to regularly check for the effectiveness of the security and also make improvements if necessary. This can be done by pen testing, vulnerability assessments, and security audits.
4.6.4 Data Breach Notification:
GDPR says that in case of a security breach, the controller or organization has to inform the superior authority about the data breach, without any further delay after becoming aware of it within 72 hours. Also, tell the nature of the personal data breach. There are some technical measures like asking your employees to use two-factor authentication which will be stored on the cloud which acquires end-to-end encryption.
5. When does GDPR apply outside Europe?
5.1. Offering Goods and Services:
The Internet made everything accessible from a wide range. Like, a person in the EU can order food from Miami and could deliver it to a friend’s house there. But GDPR will not apply on occasional instances. Rather, it looks for other things like a company in Canada offering services to the UE customers then it falls under GDPR.
5.2. Monitoring:
If you are a website owner and your website tracks the audience like tracking cookies and IP addresses and if people who visited your website are from UE, then you fall under the GDPR regulations.
6. Exceptions to the rules:
There are some exceptions that apply to the rules. First, the GDPR does not apply to household activities or personal activities. For example, if you collected emails from your friends to organize the party, you are not bounded by the GDPR to encrypt their contact info.
But if you collected the data from your friends to fundraise for a side business project then you fall under GDPR as it applies to the organizational work.
7. Penalties for violating GDPR:
Penalty or the fine charges for violating the GDPR are very high. There are two tires of penalties which are 20 million euros or 4% of global revenue whichever is higher. Also, the subject can seek compensation for the damage.
Conclusion:
In summary, GDPR protects privacy of individual, safeguards confidentiality by emphasizing consent, data minimization, strong security measures, accountability, individual rights, and strict penalties for non-compliance. These measures collectively work to protect the confidentiality of personal data and give individuals greater control over their information.
Pingback: Should I Share my Personal Information online or not ?