Introduction to GDPR: The Who, What, When, Why, and Where of GDPR
Why IT professional should learn about GDPR - it is law in all countries that are members of European Union (EU) and the countries working with European Union or having clientele in European Union countries.
Why GDPR Exist - the core reason to protect the people fundamental rights i.e. Right of Privacy.
Why do we need GDPR - EU Data protection passed in 1995 and as technology evolves there is so many changes in data.
Whom it apply - GDPR applies to organizations that do anything with data about people.
It apply all the organization in EU and all those organization who works with EU i.e. offering goods and services in EU or monitoring behavior.
Simply to say GDPR applies to all organization inside EU or Outside EU who works with people of EU.
GDPR have 06 principles
- Data uses is fair and expected
- Just have data that's Necessary
- All data must be accurate
- Delete when finished
- Keep data secure
- BE accountable.
What is the risk of non-compliance to GDPR?
1. Reputation - if organization is not complaint with GDPR it means people might not trust that company.
2. Fine and penalties if not following GDPR - fine could be Euro 20 million or 4% global turnover of organization
3. Liability risk - people / customer who are using organization services they can sue the organization if there data is misused or leaked.
In each country has a local Data protection authority. In India there is no such authority but Data protection covers under the IT ACT (70). It is punishable offence and person can get jail term for 3 year or fine of Rs. 5,00,000/-
Let's understand GDPR in detail -
GDPR Article 1 - "This regulation lays down rules relating to the protection of living humans with regard to processing anything with personal Data... "
- Living humans - means we "people" belongs to any geography.
- Processing of personal data - means doing anything or something with data i.e. Collecting, analytics, using, recording, structuring, consultation, retrieval, transmission or be anything.
- Personal data - any information relating to and identified or identifiable living human i.e. Social Security number, PAN number, driving licenses.
Three key terms in GDPR
- Data subjects - it's the data of the people whom they work for and who are working for them means customers or employees
- Data controller - means where the data controls i.e. information once you login, your work and act you perform
- Data processors - where data process, like organization are using cloud services to process the data, it could be AWS or any cloud. Both Data controllers and Data Processors process (do anything with) personal Data. Companies or government can be data controllers or processors.
GDPR regulations -
GDPR splits in to 02 parts
- Recitals - 173 recitals in count
- Articles - 99 articles in count
GDPR principles in details
1). Fair and expected - let's discuss in detail, the all processing of data is lawful, fair and transparent. Transparent means - when you are collecting data you should tell people what are you going to do with data, and why.
2). Fair - balancing the fundamental rights and freedoms of person whose data it is, with the rights of holding his/her data for further processing means, A financial website can't share people personal data with other companies without consent of people.
3) Lawful - there are six reasons of processing the data -
- Consent from data subject
- Contract from data subject
- Legal obligation - companies are bound to share data with government authorities.
- Vital interests.
- Public interest / official authority - processing of your personal data like Siebel for your financial status.
- Legitimate interests.
Key Data Protection Concepts and Principles: All Processing Must Be Lawful
Besides above 6 principle there is special category data which can't be allowed for processing or need special approval from Government authorities.
The categories are
- Allowing Discrimination - race, religion, political party or trade union membership.
- Genetic / biometric Data,
- Sexual life/orientation
But still if organization or person wants to process the Special category data in that case they need another good reason and these are 6.
- Explicit consent from data subject
- Employment - context about employment under special category
- Vital interests - healthcare
- Substantial public interest
- What an organization does
- public health processing special category data
(Disclaimer - if you are looking for some government specify information on GDPR in that case you should check with a Lawyer who can consult about GDPR)