If there was a slider to pan through the recent months, the news pattern went over from the Facebook-Cambridge Analytica saga, to Congressional hearings, to the news of GDPR coming into force on the 25 May. At first glance, it seemed like a fitting answer to a persistent problem. The past couple of years, on the other hand, have had enough of conversations around the need to uphold data privacy in the highest order. Debates and discussions around net neutrality created a largely divided world, with the more aware consumers waiting for a free (with freedom) and a fair internet.
In the subsequent months since 2015, we saw India’s telecom regulator TRAI recommending that the Indian industry favor net neutrality. That was a win for India. However, the EU, as is generally regarded, places consumer concerns at a pivot, and treats it with utmost importance.
Not long after India’s telecom regulator advocated a free and a fair internet, the European Union was coming together to formulate a regulation on upholding the safety and security of personally identifiable information of millions of netizens in the EU. On 14 April, 2016, the EU formulated what it called the General Data Protection Regulation.
GDPR supercedes Data Protection Directive
The formulation of GDPR made it a regulation that took the place of the Data Protection Directive, and places emphasis on the protection of personally identifiable data of citizens of the European Union. Currently, there’s not much that impacts us in India. But that’s purely from a legal standpoint. A very similar example is the influence of Euro emission standards for vehicles on the Bharat emission standards followed in India.
Handling of personal data
According to the regulation, companies that collect personal data need to create a product with the thought of ‘privacy by design’. Privacy by design is a philosophy that places great emphasis on values of privacy and data security, thereby protecting the identity of its users. From a technology point of view, this involves using better protective mechanisms at a protocol level, such as dynamic host control protocol that gives systems communication with each other an IP address from the server, thereby masking their physical identities.
Lawful handling of data
GDPR places great emphasis on user consent. While products and services have been asking user consent in the past, what lacked was easily accessible means of purging data collected. Recently, during the Congressional hearings with Facebook CEO Mark Zuckerberg, he repeated his stance on user privacy, and advocated the need to make Facebook more open and transparent when it comes to user data collected.
Transparent data collection
In addition to being lawful about data collected on its users, companies are also expected to be more transparent. A service must make it appropriately clear to the user on the nature of data it collects, and how it intends to do so. It also justifies a reason on why it is being used. There also must be a timeframe after which the data must be purged. In case the data is being shared with any third-party services then the product must come clean about it.
Watch: OnePlus 6 Marvel Avengers Edition
GDPR also grants users the right to request a portable copy of the data, and more importantly the right to have their data erased when they need. For public authorities and business where the primary nature of work is around processing personal data, there needs to be a data protection officer with the sole responsibility of ensuring compliance with the regulation. The regulation makes it mandatory to report any breach of user data within 72 hours, especially if it has an adverse impact on user privacy.