With the rise of the European Union digital economy over the years, European lawmakers proposed an update to the existing data protection and privacy rules – GDPR.
What is GDPR?
Approved on 14th April 2016 by the European Parliament, GDPR is the law that unifies and update the privacy laws throughout EU. GDPR is brought in to swap the EU data protection law of 1995.
This new ordinance gives attention to transparency and privacy rights of the data business. In case there is a severe data violation, the company is required by the General Data protection compliance to notify the concerned authority and influenced people within 72 hours.
The directives of the General Data Protection Regulations (GDPR) are applicable to all the data generated by the citizens of the European Union. The GDPR is anticipated to set a new benchmark towards consumer rights with respect to data. But with this, the companies will face a challenge as their management & operations process and systems will need to comply with the General Data Protection Regulations. GDPR calls for a wider view of the personal identification information of any individual.
With the date reaching too close for the implication of GDPR, there are a lot of elements that businesses need to understand to be GDPR compliant. Though many constituents do not directly relate to personal information security, the changes are required to modify the existing systems and processes to comply with GDPR so that the system does not affect the data. GDPR also standardize the export of personal information data outside the European Union.
Companies that could get affected by GDPR
Any company that executes or stores personal information of the EU citizens within the European Union states ought to abide by the General Data Protection Regulations. Even if the company or the business is out of the EU states but holds the data of EU citizens must follow the GDPR. The precise standards are:
– Must have presence in European Union.
– Any business with no presence in EU states but process the personal information data of European Union inhabitant.
– Any business with minimum 250 employees.
– Any business with less than 250 strength but have data processing operations that affect the right of citizens and freedom & protection of data. These business deals with the sensitive personal information data.
The General Data Protection Regulations also implies that the companies cannot legally process an individual data unless one of these conditions are met:
– Seek approval of the data subject.
– In order to enter into a contract, data must be processed with the data subject. Processing is the key.
– In order to get compliance and legal commitment, Processing is essential.
– In order to protect data subject and personal information identification. Processing is essential.
– Companies need to appoint a data processing officer to protect the data subject and data information.
The Data Processing Officer is someone who ensures that the company is GDPR compliant. In case any company does not comply with the GDPR, it is impacted with a fine of either 20 million euros or 4% of the annual earnings.
The Data subject rights under the General Data Protection Regulations need to be carefully understood. These rights include –
Access Rights: It is permissible for data subjects to review the data that any business or company had stored.
Right to be elapsed or forgotten: Data subjects can ask to erase their personal information data from the company’s database. The company reserves the right to decline the request if it provides a legal reason for the rejection.
Right to reject: Data subjects reserves the right to object the use of their personal data. The company can still use the data based on legal reasons and by notifying the data subject about the data processing.
Right to resolve: The data subjects can ask to correct any personal information stored about them.
Right of portability: Data subjects can access and transfer their personal data stored with a company.
By when companies need to show compliance.
The companies in EU state are expected to show the General Data Protection Regulation compliance by 25th May 2018.
Definition of Personal Data as per GDPR.
As per new rules complying with GDPR, the personal data includes IP address, location data, online identifiers, personal metadata. This new definition requires a strict audit prior to GDPR implementation in order to check whether all the personal data elements qualify for GDPR.
GDPR also ensures security and encryption of personal data and save the encryption key separately so that it assists in minimizing the risks of dealing with personal data. For data to be outside GDPR, it has to be anonymous. The companies that depend on the third party contractors for the data processing work have to go through a lot of risk evaluation.
The intent of the general data protection regulation is to harmonize the data protection rules across all the European Union states and minimize the regulatory load on the digital ecosystem.
Regardless of the countermeasures, Adtech will be agonized by the law. Because advertising technologies rely on users’ data (Sometimes, PII) to deliver effective Ad Campaigns. The problem is, Publishers are held responsible for other adtech vendors they’ve deployed on their site.
Publishers have to get consent ‘unambiguously’ for all the adtech vendors, which is less likely to succeed. Even Google declared that 60 to 70 percent of the users refuse to provide any consent.