Remember Truman Burbank? He was yet another ordinary guy who had everything going for him except one small thing; he had no privacy. Millions of people all over the world, had access to the minutest detail of his life. The movie managed to brilliantly capture everybody’s worst nightmare in a span of 103 minutes and add a comic twist to the gross violation of somebody’s privacy which left the audiences sympathising with the poor man instead of being infuriated by the blatant disregard for somebody’s privacy.
However, considering today people are sharing almost every aspect of their lives on various social media forums, vlogging about their routines and the supporting shows like Big Brother, the question that arises is that do humans really value their privacy that much? Well, humans might not value or even care about their privacy that much but what they crave and demand is control. They want to expose aspects of their lives but they want to control the exposure.
With information technology continuously evolving, our personal data is constantly on display and we are losing control over it, thereby opening ourselves to unnecessary intrusions, excessive exposure and cyber crimes. We are evidently struggling to maintain control over our data. It has therefore become imperative that we take steps to protect our data. As many as 93 countries across the globe have enacted some law or regulation for the protection of personal data. However, the EU has one of the most stringent and comprehensive data protection laws in the world.
The EU Lawmakers’ concern for the protection of data subjects’ privacy is not a recent development. It has existed for over three decades. In 1981, the treaty regarding the protection of individuals with regard to automated processing of personal data was signed, which was ratified by as many as 47 countries of EU. However, the most significant law until recently was the The European Data Protection Directive of 1995. The General Data Protection Regulation (GDPR) is an amended version of the Directive and takes into account the development in technology, the urgent and heightened need to protect people against unnecessary intrusions and cyber crimes and ensure greater compliance of the law by imposing penalties.
Considering cases where litigants have been suing companies for lack of better management of their data, it has become evident that people want to reclaim control over their data and therefore steps have to be taken to provide the people with better access and control over their data.
GDPR is one regulation which has managed to stir up quite a storm even before being enforced. On one hand, the data subjects are more than happy to welcome this regulation while on the other hand, companies are running scared from this law which can cost them as much as 20 million euros at least. The question on everybody’s mind is whether they are governed by this regulation, and if they are, how seriously should they be taking this law? The answer to the first is easy — as long as you are processing the data of a person based in the EU, you are governed by this regulation. To be able to answer the second question, one has to look at the reasons behind the making of this regulation which is simply to grant people more control over their data.
Considering GDPR is a regulation which is an improvement to the already existing data protection laws and carries with it a huge penalty in case of default is reason enough for people to take it seriously. Add to this the ample preparation time that it provided to people before being enforced and you have the makings of a robust law which demands attention.
GDPR is going to affect millions of people all over the world. Its effect surpasses the territory of EU and governs companies all over the world which might be processing the data of people protected under this regulation. Let’s take a look at what the ecosystem of data protection looks like today.
The regulation at first glance revolves around only the data controller/ processor and the data subject. Wherein the data subject enjoys a bunch of rights and the data controller/ processor has to constantly worry about the assessment and mitigation of risk.
However, a closer look introduces us to the Supervisory Authority who like a strict school teacher has to ensure that discipline is maintained and the law is upheld by strict yet reasonable compliance. In fact, though the data subject is at the centre of the equation, from a regulatory perspective, the key interaction is between the Supervisory Authorities and data controllers where the data subject is only a medium to ensure proper and effective compliance with this Regulation.
In order to ensure compliance with the regulation, the data controllers have to first assess the regulatory/ compliance risk and then take necessary steps to mitigate it. For this purpose, vendors come into the picture. The ‘process vendors’ help the data controllers assess and/ or mitigate risk and highlight the areas where data controllers are vulnerable. Technology vendors provide the backbone infrastructure to enable such assessment and mitigation to take place. Data controllers may work directly with technology vendors or use their technology via process vendors. Considering that we are talking about a huge volume of data per organisation and the things which firms need to do to be compliant are complex and technically demanding, the data controllers need all the help that they can get to deal with this regulation.
In the end, to complete this picture, add to this ecosystem, the law-makers and the citizens’ rights activists who will keep the fire alive because after all, laws are constantly evolving and who else to guide them except the ones who have decided to focus on the particular cause. Don’t forget the analysts, who help firms make decisions and provide research on relevant areas.
So with less than six months left for this Regulation to get enforced, it is incumbent that all the parties involved understand and prepare for what is to come. When Uncle Ben told Peter Parker, ‘with great power comes great responsibility’, he definitely didn’t have GDPR in mind.
This Regulation definitely has the potential to transform the way personal data is handled by firms and organisations and even though it seems like a lot of added responsibility, it definitely has a rather bright silver lining.
Good news o data subjects! You can now claim more control over your data so acquaint yourselves to the rights given to you under this regulation and who to turn to in case of the rights getting violated.
Dear data protection authorities, as you assuage controllers and processors to achieve greater compliance, fret not — state of the art technology is on the way to enable you to make data better for everyone.
And lastly, daring data controllers/ processors (firms), start to gear up for this regulation. You have very little time left to get your affairs in order. Realise that you are directly in the line of fire and therefore need to assess and mitigate the risk to the best of your ability.
Jokes apart, vendors must realise that privacy and data protection are serious issues and anything short of the most robust solution possible may not cut it and that beyond capitalising on the market opportunity, they are shouldering a massive responsibility.
Since controllers and processors are feeling the heat, even before GDPR is enforced, in the next article, we’ll take a look at what it may mean to be compliant.