An Introduction to GDPR

An Introduction to GDPR

16th July 2018

GDPR Basics: You Own your Personal Data

The European Union(EU) has imposed one of the greatest data security laws in Europe- The General Data Protection Regulation (GDPR) from 25th May 2018. Companies around the globe that deals with data of EU citizens, will have to follow GDPR accordingly. The effect of this law will be huge in all sort of businesses. As a result, there will be significant changes in the approach and methods of customer-data collection, storage, and usage by a company. People from the EU region will now have the best “Digital Right” of their own data. Failure to comply with GDPR can result in huge fines. The following article discusses some basic information and general understanding on GDPR. Let’s dive in, shall we?


GDPR Basics

The General Data Protection Regulation (GDPR) is a new data law which replaces the outdated 1995 EU Data Protection Directive and Data Protection Act 1998. GDPR imposes the new set of rules in all 28 EU countries to control and process user’s Personally Identifiable Information(PII).

Personally Identifiable Information (Data Subjects)

Any information related to a living or non-living person that can be helpful to directly or indirectly identify the specific person. It can be real and virtual information including-
• Basic Identification: Name, photo, home address, ID numbers, bank details, bio-metric data and income.
• Cultural profile: Racial or ethnic info, sexual orientation, religion and caste.
• Web Data: Email address, IP address, cookie data and radio-frequency Identification tags, GPS info(Location) and posts on social networking websites.
• Medical Information: Physical, mental and genetic data.


The motives of GDPR

The main reason of introducing a new data law such as-GDPR, is the old law (Data Protection Act 1998) needed some upgrades on the issues of the definition of Personal Data, clear consent, Legal Rights of Data Subjects and so on. Moreover, with the advancement of IT and Internet, it’s the high time to come up with a new kind of law that parallels to the newest technology and Big data.

Some other reasons may include-
• The biggest motive behind GDPR, is the EU’s intention to bring an updated data protection law to have upper hand in how people’s data is being used. Following the recent Facebook Data leak of 50 million user’s data made it more essential to have a strong and up-to-date data security policy. Read the following article to know more:
Facebook Data Leak: How to Safeguard Your Personal Data??
• The other reason was the EU’s plan to give data organizations a standard on the legal environment and their behavior. By making a fixed data protection regulation throughout Europe, the EU estimates to save a collective amount of €2.3 billion annually.


GDPR’s Global Reach
According to GDPR Official site:-

“The GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”

Any company that deals with any sorts of data subjects (previously mentioned) of EU citizens within or outside Europe must act upon the GDPR. Specific categories for companies required to comply with GDPR are:
• Companies allocated in any EU country.
• Even if non-presence in the EU, but processes personal data of European residents.
• A company consists of more or less than 250 employees but it handles various personal data which might have impacts on social security of data subjects normally or occasionally.
So it’s obvious that almost all companies having a single EU contact, will be under the GDPR radar.


Punishments of GDPR Non-compliance

Obeying the GDPR is a must for very technical or non-technical companies and institutes. A number of sanctions will be imposed if found guilty of data breach. Following are some sanctions of GDPR:-

• In cases of non-compliance by mistake for the first time, a written warning will be given to the company. In additional to that, regular periodic data protection audits will be applicable to that company.
• A fine up to 4% of annual global turnover of the company or €20 Million (whichever is greater). But this penalty has some sub-sections.
The GDPR site as follows:-
“This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of privacy by design concepts.

There is a tiered approach to fines e.g. a company can be fined 2% or €10 Million for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment.

It is important to note that these rules apply to both Data controllers and processors which meaning ‘clouds, SaaS vendors’ will not be exempted from GDPR enforcement.”



User’s Consent under GDPR

The conditions of the data subject’s consent over the data processing has been revised and made stronger under GDPR. User’s Consent must be a proactive and clear agreement based action. The current passive acceptance of the user agreement through technical and legal, unclear terms has been reformed in GDPR. The user agreement should have an easy and readable format to facilitate the users to understand what they are about to consent.



The official GDPR site says-

“The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.”

So the users’ will have clear message by the company before asking them to provide their valuable information. The companies should rewrite their user’s agreement is the most user-friendly and readable way.



Extensions of the GDPR


Data Protection Officer(DPO)

Under the GDPR legislation, companies that deals with a lot of data will have to appoint a data protection officer (DPO) in order to regularly monitor the large-scale data. DPO can be a staff member of the company or an outsourced employee who will directly report to the higher level management.

The basic role of a DPO is to ensure the GDPR approved way in collecting, storing and using data. Moreover, a DPO is bound to inform and advise the organization about maintaining the GDPR requirements and monitoring compliance in any circumstances. In case of data breach, the DPO has to report to the higher authority immediately and notify the GDPR authority of the incident as soon as possible.

To know more about DPO, click here.


 Data Controller and Processor

The Data controller is a profitable organization that determines the purpose and ways of processing the user-provided data. Data Processor is the entity that does the actual data processing job under the command of the data controller.

Both the data controller and processor have to abide the GDPR in any case. Moreover, It’s the controller’s duty to make sure that the processor strictly follows the data protection law and processors must act on the rules to maintain records of their processing activities.


Data protection by default and by design

Under the GDPR, a company has to implement strict rules on designing the security measures in data security. Keeping the user’s data private and protected in any given circumstances, is the main concern of GDPR compliance. Article-25 of GDPR states that-

“The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed .
In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.”

So in simple terms, GDPR enforces the companies to rebuild their data security system in such a way that any kind of cyber-attack and data-breach can be stopped proactively.


In case of Data Breach


It’s the data controller’s responsibility to inform data protection authority of any data breach that risks people’s sensitive data within 72 hours of becoming aware of it. If not informed within the deadline, the organization has to provide sufficient reasons and evidence of their delay. The data breach notification should include the followings- the nature of Data Breach, the likely outcomes of breach of personal data, possible measures that can be taken to stop further breach.

Moreover, the data controller has to deliver a full documentation having the complete description of data breach in details.



Users’ Privileges in GDPR

Right of Access

Under GDPR, the user has been given the digital right to access the following information by the data controller: –
1. Purposes of the processing
2. With whom the data is shared
3. How the data is acquired
4. How their personal data is being processed
5. An overview of the categories of processed data
6. Copy of the actual data
7. Notification of data transfer to a 3rd party
To know more, read the article 15 of GDPR .


 Right to Erasure

This right has been known as-“Right to be forgotten” which clearly indicates that the data subject has the right to ask the Data controller to erase his/her data when-

1. The personal data are no longer necessary
2. The data subject withdraws consent
3. Have objections to the data processing
4. Unlawful processing of personal data
In clear sense, the user’s data is user’s property. So the user can ask to fully delete their data from the system whenever s/he wants and the controller has obligation to comply with the user’s demand.

• Right to Data portability
Under this right, if a user wishes to transmit his/her personal data to another system, the data controller is bound to help the individual to facilitate the data transfer.

Moreover, the data must be provided by the controller in a structured and popular machine-readable(electronic) format.

For more info, read Article-20

Exceptions of GDPR

According to the Article-23, The GDPR has been compromised in these following circumstances-
• National & Public Security
• The prevention, investigation, detection or prosecution of criminal offences
• The protection of judicial independence and proceedings
• The enforcement of civil law claims (Police, Army)
• Statistical and scientific analysis


Implementation of GDPR


The companies who deal with the data of EU citizens have to make some significant changes in order to comply with GDPR. These are some of the issues that needs to be checked for the maximum implementation of this new data law:


Transparency on handling personal Data:

If the users ask about how and where is their data been used- the company is bound to provide them the accurate answer. Moreover, as the data is a digital right of the user, if the users ask to erase their data, the company is bound to do so. So in order to comply to GDPR, all the data companies have to be the most transparency


Ask for clear-cut user’s consent:

A company needs to make an explicit strategy that seeks permission of the user on keeping records of their data. It also includes the documentation of user’s consent on collecting and using their personal data. Companies should also train their employees to not to use any data without use’s consent and not to use the data for things they didn’t consent to as well. Keep in mind that users under 16 years are not entitled to consent and parental supervision is needed in this case.


Appoint a Data Protection Officer:

According to the GDPR, every company dealing with EU citizen’s data needs to assign a DPO. The Data protection officer will be responsible of managing the contact between data controller and processor. The officer will also be held accountable for delay notification of any data breach.


Data Breach Incident Response Plan:

The companies should change their strategy on data handling as well as response plan in case of data breach. The first response will be to notify the GDPR regulatory agency of the incident and the data owner. The company should have effective plans to lessen the damage due to data breach.


The Bottom line of GDPR states that the data protection of companies, dealing with EU citizens’ personal data, has to be highly secured and protected under any circumstances. The users have the digital right over their data and have privilege to erase, forgotten, transfer their data. Any company failing to comply by these rules, will be held accountable and fined. The GDPR is “one-stop” authority to take any decisions regarding data breach and noncompliance and doesn’t require any governmental approval.

Get in Touch

Bangladesh House 6, Road 1A, Sector 5, Uttara, Dhaka