At a simplistic level, the new European General Data Protection Regulation (GDPR) which came into force on Friday, 25 May 2018, is about three fundamental issues:
1. Meaningful notice (customer must be made aware) 2. Consent 3. Opt-out options.
Which is why there has been a mad scramble by many many companies and organisations in the last few days to update privacy policies and reform practices throughout the data lifecycle, not just in Europe but in India too, because any organisation dealing directly or indirectly with European customers is obligated to be GDPR compliant. There is no getting away from that.
But let us start at the beginning.
It was way back in January 2012 that the European Commission set out plans for ‘data protection reform’ across the EU in order to make Europe ‘fit for the digital age’. It took a lot of discussions and deliberations for agreement to be reached on what was involved and how to enforce it. The General Data Protection Regulation (GDPR) is a key component of the new reforms and applies to organisations in all member-states and has implications for businesses and individuals across Europe, and beyond. The single minded thrust of the new regulation is to create solid common standards for data protection so that people can be sure they are in control of their personal information. The reforms are a trigger to bring in laws and obligations - including those around personal data, privacy, and consent - across Europe up to speed for the internet-connected age.
Under the GDPR regime, not only will organisations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it will be obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners - or face penalties for not doing so.
But before we proceed any further, it is important to understand what constitutes ‘personal data’?
The types of data considered personal under the existing legislations in Europe and UK include name, address, and photos. GDPR extends the definition of ‘personal data’ so that something like an IP address can also be included in ‘personal data’. GDPR also provides that sensitive ‘personal data’ such as genetic data, and biometric data which could be processed to uniquely identify an individual is covered under its ambit. Given these new requirements, organisations will have no choice but to quickly adopt techniques like 'pseudonymization' in order to benefit from collecting and analysing personal data, while the privacy of their customers is concurrently protected. (Although some experts are of the view that this already comes too late, given the number of connected devices in the world).
Breaches and hacks are commonplace today the world over, putting confidential data like email addresses, passwords, social security numbers or even health records into the hands of shady individuals and dubious organisations. One of the major changes that GDPR will bring in is to provide consumers with a right to know when their data has been hacked. Organisations will be required to notify the appropriate national bodies as soon as possible in order to ensure EU citizens can take appropriate measures to prevent their data from being misused and abused.
For the record, one of the most important features of the GDPR is that consumers have been promised easier access to their own personal data in terms of how it is processed, with organisations told that they need to detail, at the time of collection and in the course of usage, how they use customer information in a clear and understandable way. Consent and opt-in are very important to the new GDPR. Customers have been assured an easy way of opting out of a mailing list or any other sign-up they may have committed to in the past. GDPR has also created a very significant ‘right to be forgotten’ process which provides additional rights and freedoms to people who no longer want their personal data processed to have it deleted, providing there's no grounds for retaining it.
Organisations, both governmental and commercial, have been put under obligation to report any breaches which are likely to result in a risk to the rights and freedoms of individuals and lead to discrimination, damage to reputation, financial loss, loss of confidentiality, or any other economic or social disadvantage.
Last but not the least, Article 4 of the GDPR defines two different types of data-handlers the legislation applies to: 'controllers' and 'processors'. A controller is ‘person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data’, while the processor is ‘person, public authority, agency or other body which processes personal data on behalf of the controller’. GDPR ultimately places legal obligations on a processor to maintain records of personal data and how it is processed, providing a much higher level of legal liability should the organisation be breached. Controllers will also be forced to ensure that all contracts with processors are in compliance with GDPR.
Theoretically, the GDPR has nothing to do with India. At least for now. But that may not exactly be true. For one, Europe headquartered organisations (Unilever being one), are normally prone to getting all their overseas entities to eventually also comply with EU-dictated norms as part of good global corporate governance. So, in the days to come, most European companies in India especially the likes of Nestle, Unilever, GlaxoSmithKline, Nokia, Ericsson, L’Oreal, Danone, Heineken, Reckitt Benckiser, Pernod Ricard, Mercedes Benz, Volkswagen and many more are likely to start the process of becoming GDPR compliant, and they will ensure that their vendors and partners also quickly fall in line.
What does this mean? Let me take an example from the advertising business. The question of customer opt-in will ensure complete disruption of the way digital agencies today ‘target’ consumers on the internet and mobile. In mobile in India, the current norm is that if a mobile subscriber does not want to receive ad-messages, he or she has to go to the ‘Do-Not-Disturb’ (DND) registry and put-in their mobile number indicating negative access. In the GDPR norm, the opt-in has to be to specifically receive ad-messages. The current system of everyone not on DND being fair game to be bombarded with targeted messages will no longer work. This will surely substantially reduce the ‘addressable’ audience for most brands. More importantly it will impact the highly lucrative business of ‘re-targeting’ that most digital agencies thrive on. The GDPR provisions will need, once again, specific customer opt-in for them to be sent intrusive ad-messages.
The bigger problem that companies are going to face in Europe (and soon in India) is that with multiple touch points and interfaces with customers, they actually have access to far too much customer data, but few amongst them are investing enough to keep that data well protected. The ethical use of data actually has one basic problem: most organisations are not even aware of who has access to, and who uses sensitive data within their own ecosystem. Compliance regulations and guidelines are very very lax. No one even spends time cleaning up toxic data dumps. There are no investments to protect sensitive data appropriate to its value. Out-sourcing data and allowing uninhibited access to vendors and partners can create unprecedented situations like in the case of Facebook. There is little or no sensitivity to risk assessment and security awareness as most organisations do not realize that retaining customer data beyond what is required, or longer than when it is required, can itself create problems. Data management in India needs a lot of thinking. GDPR is surely going to provide that trigger.
A think tank led by Commerce Minister Suresh Prabhu is to come up with a national e-com policy by October. The framework for an e-commerce policy will also include data privacy besides dealing with technical aspects such as localization of servers which is critical to data protection. How soon and how quickly corporate India decides to move on the compliances will have to be seen. But one thing is for sure: the customer’s privacy rights can no longer be taken for granted.
(Sandeep Goyal is chairman of the recently launched Forum for Ethical Use of Data (FEUD). Goyal has many years of hands-on experience in dealing with data, its anonymisation and ethical usage.)