General Data Protection Regulation

Internet has revolutionized various sectors of economy. And with its rise, it has become
indispensible for smoothly carrying out day to day functions. Prevalent times are often termed
as ‘Age of Data’ which often leads to parting of personal data while using various internet
services. With the exponential rise in users incidents of identity theft, unauthorised access and
other such breaches have increased. Privacy concerns exist wherever personally identifiable
information or other sensitive information is collected, stored, used and finally destroyed or
deleted in digital for or otherwise. The challenge of data privacy is to utilise data and at the
same time protecting individual’s privacy preferences and their personally identifiable
information.

The Right to Privacy is a highly developed area of law in Europe and all the member states of
the European Union are also signatories of the European Convention on Human Rights. An
om

important part of EU privacy and human rights law is the data protection directive. It is a
European Union directive adopted in 1995 which regulates the processing of personal data
c

within the European Union.

r.
xe

The General Data Protection Regulation (GDPR) which was adopted in April 2016 will replace
the Data Protection Directive and will be enforceable from May 2018. GDPR is a regulation by
fi

which the European Parliament, the Council of the European Union and the European
Commission intend to strengthen and unify data protection law for all individuals within the
es

European Union. It will also look into the export of personal data outside the EU. The GDPR
ad

aims primarily to give control back to citizens and residents over their personal data and to
simplify the regulatory environment for international business by unifying the regulation within
gr

the EU. It does not require national governments to pass any enabling legislation and is thus
directly binding and applicable, unlike the current directive which needs legislations to be
passed. GDPR extends the scope of the EU data protection law to all foreign companies
processing data of EU residents. It also brings a new set of digital rights for EU citizens in an
age when the economic value of personal data is increasing in the digital economy.

The GDPR is the most significant piece of European Privacy legislation in the last twenty years
seeking to unify data protection laws across Europe. Under this regime companies must keep a
thorough record of how and when an individual gives consent to store and use their personal
data. When somebody withdraws consent at any point of time, then their details must be
permanently erased, and not just deleted from a mailing list. GDPR gives individuals the right to
be forgotten.

Privacy by Design and Default is the cornerstone of the GDPR. Privacy by design is a
fundamental component in the design and maintenance of information systems and mode of
operations for each organisation. This mandates that from the initial stages onwards
organisation must consider the impact that processing data can have on an individual’s privacy.
This means that every new business process or product that could involve personal data or
impact the privacy of an individual must be designed in accordance with data protection
requirements.

1/2
 Article 25 of the GDPR codifies the concept of privacy by design. According to this, a data
controller is required to implement appropriate technical and organisational measures both at
the time of determination of the means for processing itself in order to ensure data protection
principles such as data minimisation are met. The concept of privacy by design promotes
compliance with data protection laws and regulations from the earliest stages of initiatives
involving personal data. It puts more strain on the conception and development of new
initiatives, following privacy by design principles can be used as a mean to help ensure full
compliance with data protection principles issues being identified at an earlier and less costly
stage and to the increase of awareness of privacy and data protection related matters
throughout an organisation. Under the current regime no specific requirement to implement
privacy by design by default exits but under GDPR which will come into force it’s inherent.

The data controller while implementing privacy by design needs to take into account the state of
the art, cost of implementation and the nature, scope, context and purposes of processing as
well as the likelihood and severity of risks of the rights and freedoms of natural persons posed
by the processing of their personal data. Privacy by design is a technical approach. While the
om
incentives and will to invade privacy may be social problems, the actual ability to do so is a
technical problem in many instances. Thus, dealing with it at technology level is necessary.
c
r.
xe
fi
es
ad
gr

2/2
Powered by TCPDF (www.tcpdf.org)