The GDPR, or the General Data Protection Regulation, has been in work for a significant number of years now. First conceived during January 2012, the initial drafts of a data protection policy would take four more years to turn into a final document.
It would take another 2 years for it to be implemented. One can say that the reform came about as a result of the recent discoveries revealed by whistleblower regarding dealings of personal data between Facebook and Cambridge Analytica. In order to understand the full scope of the GDPR, one needs to look at the context of the picture.
The trading of personal data
The world today is alive on the internet more than it is in the physical world. In the digital world, every interaction takes place via a click. Every click is an affirmative decision. Through a series of choices that we make on the internet regarding the content we view, share and follow, we leave a digital footprint behind which contains details about our identity. Details such as nationality, race, sexual orientation, tastes and preferences and even political opinions can be inferred from our online activities. By data on all of these online interactions, complex behavior models can be created by companies who can then identify their customers better and target their marketing content more effectively.
Now, our digital identities maybe useful data but it is, after all, a personal property. Ideally speaking, we have the right to the use of our data. This means that companies and organizations can only use our personal data only through our approval. The reality, however, is not so ethical.
According to the recent leaks, Facebook and a British data mining and political consultancy firm Cambridge Analytica engaged in severe breach of privacy by trading personal data of users without their permission. Targeting of ad content based on user data is one thing, but manipulating political content without the approval and knowledge of the user is an extreme breach of ethics.
The General Data Protection Regulation
The GDPR aims to fix this situation by giving users more control over their own personal data. At the same time, it aims to put in the right regulations that protect its citizens and allows businesses to leverage this data to better their operations ethically. It was implemented on the 25th of May 2018 and plans to implement systems that will allow citizens to instantly know when their data has been hacked or misused. Some of the details of this policy are mentioned below.
- Definition of personal data- Within this policy, personal data has a fixed definition. The following details come under the label of personal data: identity information (name, address, IP), online data (cookies, IP address, RFID), medical history, biometric information, race and ethnicity, political views and sexual orientation.
- Penalties under GDPR- If a breach has been detected, then the organization is dictated to report it under 72 hours. Failure to do so or being directly involved in the breach counts as non-compliance with the regulations. The penalties include a hefty fine ranging from 10 million euros to 4% of annual turnover, which can go into billions. The exact amount of the fine depends on the extent of the breach.
- Establishing Data protection officer- Under the GDPR, every organization needs to have a data protection officer whose prime role is to analyze user data, monitor users and create behavior models. The officer will monitor the organization and keep it in check. The policy dictates the exact qualifications and experience necessary for the appointment of such an officer.