Why is GDPR a Big Deal?

Updated on May 10, 2018
saisreesub profile image

A bibliophile and technology enthusiast with a previous career in IT.

What is GDPR?

The General Data Protection Regulation (GDPR) represents an overhaul of the Data Protection Directive (DPD) that was in force in Europe since 1995. The European Union (EU) has been at the forefront of safeguarding the rights of its citizens and GDPR is seen as an essential step in a situation where the internet does not provide clarity on how personal data is used.

GDPR overview

GDPR is described in 99 articles and represents a radical change in the approach to handling personal data of EU citizens. Salient points include:

  1. It is a regulation instead of a directive – this makes it mandatory across the EU and improves enforceability.

  2. It expands on the definition of personal data to include any identifiable information regarding a person – moving beyond the realm of name, id, bank account number to include location information and social identifiers (the concept of “like” on social media etc)

  3. It requires explicit consent for using of data based on unambiguous requests with explicit responses. Situations where the data is required to fulfill contractual obligations, or to fulfill legitimate interests of the data user (example, a bank requires personal information to complete transactions) are not subject to the explicit consent rule.

  4. It defines data subject rights to be provided clarity on who is using the personal data and for what purpose. Also, to request for and receive the data being used as well as the right to delete all data and revoke previously provided consent. Remedial rights of the data subject against all other parties (both the processor and supervisory authorities) are also defined.

  5. The roles of controller and processor are defined, with the controller having control of the treatment of data, and the processor working under the instruction of the controller. Where large scale data processing is involved, both the controller and processor have to implement the role of a Data Protection Officer (DPO) who has oversight responsibility and serves as the interface point to EU supervisory authorities. Also, both have liabilities in case of non-compliance.

  6. Transfer of personal data to partners (including partners outside the EU) is allowed, subject to enforceability of all articles of GDPR and in accordance with international data transfer treaties. The controller initiating the transfer retains obligations with respect to GDPR.

  7. Data breaches that pose a risk to “personal rights and freedom” are to be notified to the authorities within 72 hours and to the data subject without undue delay.

  8. The role of country supervisory bodies and the European Data Protection Board are defined.

  9. Specific data processing situations (ie) exceptions allowed to the rules are defined.

  10. The procedure for fines and penalties is defined, with a cap of 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

What does it mean for the casual internet user?

One has come across updated terms of services and banners on various websites - media, shopping, search etc. These have to do with the service companies updating their ways of interacting with customers in order to comply with GDPR. Most internet service companies have an intent to provide the same services across the globe, however, they are retaining options to provide an EU variant and a non-EU variant of their services.

As an EU citizen, a user shall have the right to receive unambiguous information before signing up for a service - not complicated legalese running into multiple pages that cannot be understood. The user can expect to understand who are the different parties using personal data provided and how they use it. The user can explicitly provide or reject consent to specific parties.

The user is also entitled to receive a download of the personal information that the service provide has accumulated and ask to be forgotten (ie) request a data deletion. Further, the user can complain and seek recompense from the authorities in case of issues.

The service provider is obligated to inform the user about any significantly risky data breaches in a reasonable time frame.

What does it mean for a service provider with EU based customers?

The service provider has to upgrade the consent mechanism for users to provide information about intent of usage as well as details of any partners/third parties who would have access to the users personal data, including how they use it. The consent mechanism should allow the user to accept or reject the usage on a per-vendor basis.

The service provider is also required to provide evidence of how the data is secured as well as logs of how it is used, to demonstrate that the usage is in sync with the defined intent.

A data protection impact assessment is required to assess the risks associated with new data processing scenarios.

The service provider has obligations to report breaches that are high risk to the supervisory authorities within 72 hours and to users within a reasonable time-frame.

For organizations involved heavily in personal data processing, a Data Protection Officer is to be defined whose role and responsibilities are defined by GDPR.

When does this happen?

The EU had declared in 2016 that the target date for GDPR enforcement would start from 25 May 2018. As a result, service providers and other processors of data who target customers in the EU have been preparing for GDPR over a period of two years and have devised means of being compliant to the regulation.

From that date onwards, it would be a period where supervisory authorities in the EU inspect any personal data usage scenario that is non-compliant to GDPR and ask for updates and/or impose penalties. Users would also be able to seek information and complain if they are not adequately satisfied by responses.

It would be a period of watching and continuous improvement for the different service providers as any records of non-compliance are published.

Overall, the situation would bring back control on personal data to its source where the individual can choose to accept or deny how service providers and their partners use data.

Will GDPR massively change the internet?

See results

GDPR is a big deal

GDPR potentially overhauls the way internet based companies process personal data, making them more accountable for their processes and provides control to the end user to decide what personal data is used and how. It marks a major milestone in the history of the internet and touches far more organizations and industries than is apparent.

While it is applicable to EU citizens, the nature of the internet is poised to change all over the world. And it is only a matter of time before other regulatory bodies demand parity with the EU regulation.

The quantum of penalties have drawn attention world-wide - however, the numbers listed are the potential maximum, not necessarily applicable to every type of infringement.

The internet awaits the dawn of the GDPR era, specifically to understand the position of the supervisory agencies and to get a view of the level of enforcement, whether there will be any leeway. On the other hand, some internet activists in EU are preparing for raising complaints once the GDPR regime gets underway.

Time will tell whether we are actually at a point where the internet changes forever as has been predicted by many industry analysts.

Questions & Answers

    © 2018 Saisree Subramanian


      0 of 8192 characters used
      Post Comment

      No comments yet.


      This website uses cookies

      As a user in the EEA, your approval is needed on a few things. To provide a better website experience, owlcation.com uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

      For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at: https://maven.io/company/pages/privacy

      Show Details
      HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
      LoginThis is necessary to sign in to the HubPages Service.
      Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
      AkismetThis is used to detect comment spam. (Privacy Policy)
      HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
      HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
      Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
      CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
      Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the googleapis.com or gstatic.com domains, for performance and efficiency reasons. (Privacy Policy)
      Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
      Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
      Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
      Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
      Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
      VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
      PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
      Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
      MavenThis supports the Maven widget and search functionality. (Privacy Policy)
      Google AdSenseThis is an ad network. (Privacy Policy)
      Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
      Index ExchangeThis is an ad network. (Privacy Policy)
      SovrnThis is an ad network. (Privacy Policy)
      Facebook AdsThis is an ad network. (Privacy Policy)
      Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
      AppNexusThis is an ad network. (Privacy Policy)
      OpenxThis is an ad network. (Privacy Policy)
      Rubicon ProjectThis is an ad network. (Privacy Policy)
      TripleLiftThis is an ad network. (Privacy Policy)
      Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
      Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
      Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
      Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
      ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
      Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)
      ClickscoThis is a data management platform studying reader behavior (Privacy Policy)