13 Feb

It has been four years since the debates, preparations and negotiations have begun. European Union’s General Data Protection Regulation’s enforcement date was set on 25 May 2018, two years ago on 14 April 2016. The enterprises, no matter their sizes or work lines, will face heavy fines in the case of non-compliance with the regulation.  The regulation was intended all along to be designed to protect privacy spheres of EU citizens. It will enforce a change in the way organizations and commercial enterprises approach the usage of data that belongs to a EU citizen. What strikes the eye here and makes GDPR so  important is primarily that any company that processes or holds personal data of any subject who resides in European Union, is subject to the regulation regardless of the company’s location or headquarters consequently.

To understand what GDPR will change in the course of legal, commercial as well as social living, one should have a grip of the concept of personal data: It can be linked to any information linked to a natural person who is then considered a ‘data subject’ in the eyes of the law. It can be both a name or a photo as well as an IP address. The information should have the capability to be used to identify a specific person, if it is to be considered personal data under the regulation of GDPR.

GDPR also obliges any kind of organization that processes or holds sensitive identifiable information and data, to appoint a Data Protection Officer (‘DPO’). The DPO will be notified in the case of a data breach of which examples have been witnessed in the past couple of years, like the Yahoo data breach where 3 billion identities were stolen. The DPO must be notified within 72 hours in the case of a data breach if the breach can lead to a risk for the rights and freedoms of individuals. This is the first data subject right foreseen by the regulation.

Another one is called the right to access. This data subject right empowers the subject to the request of informing if the data that originall belongs to the subject is being processed where, how and when for any kind of reason or not. The subject also keeps the right to request a copy of process of his or her data in electronic format. This regulation automatically designates the data controller and processor to be more transparent which can eventually heighten the sense of trust for the usage of personal data.

An interesting one and in comparison to other data subject rights, an ambiguous one is called the ‘right to be forgotten’. The right entitles the natural originator of the data to have the data processor or controller erase it, consequentially forbidding and preventing the usage of the data by a third party. The further process and holding of the data can also be prevented through the withdrawal of the initial consent given in the beginning of the activity at hand. The ambiguous side to the right to be forgotten is about permitted conviction level of the data controller in case of a request to be forgotten by the data subject. In this case, the data controller is required to compare the subjects’ right to be forgotten to the ‘public interest in the availability of the data’ when considering such requests[1].

General Data Protection Regulation is pointed out to be both the most radical change in 20 years in data regulation and also the most important one. It may indicate a preference shift in the sense that commercial efficiency and capability used to be minded thoroughly to the detriment of privacy and discretion of intangible personal belongings that may pose a risk in case of a takeover of data to the lively activities of the subject.

[1] EU GDPR, Key Changes, https://www.eugdpr.org/key-changes.html

Share on LinkedInShare on FacebookTweet about this on TwitterShare on Google+Email this to someone