GDPR – General Data Protection Regulation
GDPR, short for the General Data Protection Regulation, is a legal framework that establishes rules and principles governing the collection and handling of personal information belonging to individuals within the European Union (EU).
Although approved in 2016, GDPR only came into effect in May 2018. It applies to organizations operating within the EU and those targeting or gathering data related to EU residents. Its primary objective is to grant individuals greater control over their data by holding companies accountable for their data management practices.
Comprising 11 chapters with 99 articles, GDPR mandates that organizations collect personal data legally and transparently, adhering to stringent conditions. They are also responsible for safeguarding this data against misuse and exploitation while respecting the rights of data owners. Failure to do so can result in severe penalties.
Furthermore, GDPR grants individuals the right to request the deletion of their data if there are no legitimate reasons to retain it, known as the “Right to Erasure.” Additionally, the regulation strengthens reporting requirements and enforcement measures, obliging organizations to report data breaches within 72 hours.
Non-compliance with GDPR can lead to significant consequences, including fines of up to 4% of a company’s global turnover or 20 million euros, whichever amount is higher.
Key Aspect
The GDPR introduces a revised definition of personal data, encompassing any information linked to an identifiable individual. This includes standard identifiers like names, addresses, email addresses, location data, or computer IP addresses. Additionally, it extends special safeguards to sensitive data such as religious beliefs, racial or ethnic origin, sexual orientation, or trade union membership.
Under the GDPR, higher penalties are instituted, imposing fines ranging from 2 to 4 percent of a company’s annual revenue or 20 million euros (equivalent to $24 million), whichever figure is higher.
Moreover, individuals residing in the European Union will gain more substantial rights, including the right to:
- Obtain clear and comprehensible information about the entities processing their data and the purposes behind it.
In light of Brexit, where the UK is scheduled to depart from the EU on March 29, 2019, approximately ten months after the GDPR takes effect, it is essential to note that the UK government has assured that GDPR will continue to apply in the country. Thus, GDPR compliance requirements will remain unaffected by Brexit, with the regulation benefiting the UK despite its EU membership cessation.
What Implications Will India Face?
The GDPR carries global implications as it extends its reach to those beyond the EU borders who monitor EU residents’ behaviour or offer goods and services to them. The European Union is India’s largest trading partner, and bilateral service trade alone amounts to over €28 billion (equivalent to Rs. 2.2 lakh crore).
Consequently, Indian IT firms and other service providers engaged with EU business will experience a significant impact. It is worth noting that only one-third of Indian IT companies are currently taking steps to prepare for GDPR compliance, while another third remains unaware of such a law.
This lack of preparation could result in potential fines, business losses, missed opportunities, and even diplomatic disputes during trade negotiations between India and the EU. GDPR replaces the 1995 Data Protection Directive, focusing on safeguarding the personal data of EU citizens in the evolving digital landscape.
The regulation extends its coverage to all EU member states and their citizens, necessitating compliance for global enterprises with EU operations or customers. Failure to comply may result in penalties, but forward-thinking businesses could also perceive GDPR as a business opportunity. Furthermore, following the Supreme Court’s ruling, a data protection framework has been proposed.
