A tectonic shift
EU's data protection rules have key pointers for India
The European Union's General Data Protection Regulation (GDPR), which comes into effect from Friday, places great emphasis on concepts such as informed consent and the maintenance of privacy. Any organisation that controls or processes data of any EU resident must comply with the GDPR, or face the prospect of paying hefty fines of up to ^20 million, or 4 per cent of annual global revenues, whichever is greater. The GDPR is based on "privacy by design", a concept that asks businesses to continuously and proactively review data protection and design future software architecture, keeping data protection in mind. It is far more stringent than any standard previously in force. It dictates what data can be collected, outlines in detail the need for explicit consent in collection, and insists that consent must be separately taken for each distinct processing operation involving the same data. The GDPR also says any breach must be disclosed within 72 hours to the individuals whose data may be at risk, and there must also be a simple way for an individual to withdraw consent. Any organisation that conducts systematic processing or monitoring of sensitive personal data of EU citizens or residents must also appoint data protection officers to document and monitor data storage and processing within their organisations. Hence, the GDPR will cause a tectonic shift in the way the world, and not just EU, manages data.
EU citizens also receive the right to be "forgotten" — they can ask data controllers to erase personal data under certain circumstances. They receive the right to data portability — they can ask service providers to port data out to another service provider. Citizens will also have the right to prevent automated profiling. This, for instance, prevents a software program from automatically rejecting a mortgage application or a visa request without human judgement being involved. The GDPR allows data transfers only to countries that provide "adequate" levels of personal data protection. Of crucial importance in this whole scheme is that transfers to non-EU states without adequate personal protection are only permitted when there are specific contractual guarantees about data protection. In effect, this means any entity that does business with the EU must adopt these standards, even if data servers are located outside the EU in nations, such as India, where the laws are not so stringent.
The new regulations will in the short run place a considerable burden on businesses that have exposure to the EU. However, given that global data generation, and economic dependence on data, is growing at a rapid pace, these robust protections are necessary. Around 5 billion people use mobiles, 4 billion regularly use the internet and over 3 billion are regular social media users. Between 2013 and 2020, global data generation is projected to grow from 4.4 zetabytes to 44 zetabytes (one zetabyte is a trillion gigabytes) and more, and a great amount of that data is sensitive, personal and capable of being monetised. There has also been a large and growing number of cases of data breaches and data misuse in the recent past. Given that the EU is the world's largest economic zone, most businesses will strive to comply with the standards of the GDPR. This should encourage nations such as India to emulate the EU and speed up the creation of local data protection laws and of personal data protection standards that match the GDPR in scope and effectiveness.