The General Data Protection Regulation (GDPR)

When we hear the Security for personal data, what is the first thing that comes to mind? We envision stealing, leaking, or misusing a person’s, a company’s, or a nation’s personal information. Hence, for the insurance of this information, numerous nations are upholding regulations and rules for their separate nations, for example, GDPR upheld by the EU the General Data Protection Regulation (GDPR) is a set of rules for how personal information from people who live outside the European Union (EU) can be collected and used.

What is GDPR?

• The European Union approved the General Data Protection Regulation in April 2016 and it became law on May 25, 2018.
• It was enacted to regulate the processing and use of personal data collected from customers online by businesses and took the place of an earlier law known as the Data Protection Directive. It also has rules for how information is moved, whether it’s entirely or partially automated.
• GDPR positions on information protection and security of the European residents and inhabitants. GDPR explicitly established for Small and Medium-Sized Enterprises (SMEs).
• Companies and organizations can apply the GDPR as long as their target customers or users who are related to the EU must comply with the law the “extraterritorial effect” in Article 3 of GDPR despite the fact that it has been enacted for European citizens and residents.
• GDPR aims to bring businesses into compliance. According to Article 83 of the GDPR, the company is obligated to pay fines and penalties in the event of noncompliance.

The law makes it difficult for businesses to mislead customers when they visit their websites with language that is ambiguous or confusing. It also guarantees:

• Visitors to the website are informed of the data collected.
• By clicking a button or taking another action, visitors indicate their explicit consent to that information collection.
• There is a required assessment of the site’s data security. Sites notify visitors promptly if any of their personal data is compromised.
• Whether an individual on staff can perform this role or if a dedicated data protection officer (DPO) needs to be hired.

Tiers of Infringement and Penalties

1. Less Severe Infringement:

• Either a fine of up to 10 million euros or
• 2% of the company’s worldwide annual revenue from the previous year,

Whichever is greater, must be paid.

2. More Serious Infringement:

Both the right to privacy and the right to be forgotten are violated by these. The organization must pay either

• 20 million euros or
• 4% of its previous year’s worldwide annual revenue,

Whichever is greater

Data Protection principles outlined in GDPR as per Article 5.1-2 of the act,

1. Lawfulness, fairness, and transparency
2. Purpose limitation
3. Data minimization
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality
7. Accountability

Data subject’s privacy rights recognised by GDPR: aim to give more control of an individual over the data.

8. Right to be informed
9. Right to access
10. Right to rectification
11. Right to erasure
12. Right to restrict processing
13. Right to data portability
14. Right to object
15. Rights about automated decision making and profiling

Impact of GDPR on Indian Firms

It replace the Data Protection Directive and it is aimed at protecting the personal Data of EU citizen in the new digital world.  All the global enterprises having customers and operations in Europe must comply the GDPR. Europe is a significant market of BPO’s, ITeS and Pharma Sectors in India. There is an estimate of $ 155 -220 billion around of IT industry in the France and Germany .Indian companies facing increased compliance cost and risk of huge penalties, it they fail to comply. But they have a huge business opportunities as well.

Laws applicable in India for the protection of the personal data.

The Information Technology Act, 2000:

• This act governs the data protection in India.
• Reasonable security practices and systems and sensitive information or Data Rules, 2011 or Data Protection Rules goes under the IT Act.
• Companies and organizations that collect, process, store, or transfer sensitive personal data or information of an individual are required by the Data Protection Rules to obtain consent, publish a privacy policy, and adhere to restrictions on disclosure and transfer.
• Organizations that deal with sensitive data or information about individuals are also required to implement Reasonable Security Practices and Procedures (RSPPs) under the Data Protection Rules.

Digital Personal Data Protection Bill 2022

• The collection, processing, storage, use, transfer, protection, and disclosure of personal data pertaining to Indian residents will be governed by a Digital Personal Data Protection Bill 2022 that is currently under consideration for legislative consideration in India.
• After the Personal Data Protection Bill of 2019 was withdrawn for three months, the bill has been introduced.
• Personal data are the primary focus of the new Digital Personal Data Protection Bill for 2022.
• Heavy penalties for noncompliance are included in the bill, but there is no connection between them and the company’s turnover.
• It also includes provisions for simpler compliance requirements for start-ups and relaxed regulations on cross-border data flows, both of which could provide relief to major tech companies.

There might be two actually huge warnings:

1. A dilution of the authority of the proposed Data Protection Board, which is mandated to oversee the provisions of the proposed legislation,
2. A near-universal exemption for government agencies from complying with some of the more burdensome requirements outlined in the Bill.

Data Protection Laws in Other Nations

1. China

• The Personal Information Protection Law (PIPL), which came into effect in November 2021, is one of the recent data privacy and security laws that China has passed in an effort to stop the misuse of personal data, it grants new rights to Chinese data principals.
• The Data Security Law (DSL), which took effect in September 2021, places new restrictions on cross-border transfers and mandates that business data be categorized according to levels of importance.

1. United States

• In contrast to the EU’s GDPR, the US does not have a comprehensive set of privacy rights or principles that address the use, collection, and disclosure of data.
• Only a small amount of sector-specific regulation exists. The methodology towards information security is different for the general population and confidential areas.
• The Privacy Act, the Electronic Communications Privacy Act, and other similar pieces of broad legislation address the government’s activities and powers regarding personal information.
• There are some norms that are specific to the private sector.

https://theyouthedge.com/takeoff-stage-in-indian-economy/the-youth-edge-economic-analysis-current-affairs-2022/

Source: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation