General Data Protection Regulation (GDPR) enters into force. On that date, millions of entities across Europe – from MNCs, to websites, to lawyers’ offices – are expected to meet with the requirements of data protection, as set out in the Regulation. But alas, within the EU, only 36% of the targeted entities have so far become compliant. In the months to come, there certainly will be a scramble among the rest to achieve the compliance requirements.
Unlike many EU regulations, the GDPR is a set of binding, mandatory rules. The GDPR is made up of 99 Articles and 173 Recitals –EU regulations come with Recitals that set out reasons for the main provision, and are read together with the main Articles. The GDPR is directly applicable in the EU Member States without any enabling legislation. According to Recitals 7 & 9, the aim of the GDPR is to gain the people’s trust in the responsible treatment of their personal data in order to boost digital economy across the EU-internal market. Hence, the GDPR seeks to achieve a balance between an individual’s rights over her personal data and the achievement of economic goals by allowing business entities to collect and use personal data in the course of providing services.
Such services need not be only online services, but any entity that uses its service users’ personal data will be subject to the application of the Regulation. It may be a small doctor’s clinic that collects health data, or it may be a website that collects the IP addresses of its visitors or an MNC that does sustained web-tracking of the behaviour of its past or potential customers. The GDPR covers both data processors and data collectors – hence, the inclusion of doctors, lawyers and all kinds of solo practitioners under its coverage just as much as Google or Face book that process ‘big’ data.
The data that is covered by the GDPR is personal data such as the name, age, physical address or health status of a natural person, that may lead to the natural person becoming identifiable from the data. GDPR ensures that individuals retain their privacy and anonymity. Only on the basis of the person’s informed consent, any entity or other individual may collect the personal data. There are, therefore, many substantive and procedural rules for collecting, transferring, retaining and erasuring of personal data. At any stage after giving her consent, the individual (called the Data Subject), may at any point of time, withdraw her consent. To prevent the individual from becoming identifiable, the GDPR promotes anonymisation and pseudonymisation of the data that is held in the hands of the controller or processor.
The GDPR provides for a broad territorial scope. It applies to processing of data that takes place with the European Union and also to off-shore collecting or processing of personal data of data subjects located within the Union. An Indian online seller who monitors the traffic to her website through cookies, to assess how many European customers from which EU Member State visit her website is subject to GDPR. In this example, the Indian may not become subject to the stiff fines that are imposed for violating the GDPR. But if she eventually starts selling in the EU, one way or other she will have to comply with the GDPR. In addition, the scores of Indian IT companies that process the personal data of people located in EU, will lose their opportunity to continue their business, if they do not undertake the safeguards outlined under the GDPR. Hence, Indian lawyers too may have to know the GDPR to guide their corporate clients