The EU adopted General Data Protection Regulation (GDPR) in 2016 which became effective on May 25, 2018. It is also known as the new European Privacy Regulation. The law contains 11 Chapters divided into 99 articles and it runs into 88 pages. It is applicable across European Union (EU) and European Economic Area[1] (EEA). It harmonizes the right to protect personal data and the free flow of personal data. It protects the personal information of the citizens of the EU from being misused by a controller or processor established either within the EU and EEA or outside. So to continue functioning in the EU, foreign online businesses that operate in the EU and EEA shall have to abide by the General Data Protection Regulation.
As per GDPR, personal data means any information regarding a person such as a name, photo, email address, bank details, locations, computer IP address, etc of the person. GDPR provides greater control to its citizens over their personal data.
GDPR provides a wide range of rights to the citizens referred to as data subjects in GDPR. Rights that protect and prevent the processing of personal information without the consent of data subjects unless it is in the public interest or explicitly prescribed under General Data Protection Regulation. The personal data of a data subject can be processed only based on the consent, performance of a contract or legal obligation, vital interests of data subjects, public interest, and legitimate interest. The consent of the data subject plays a significant role under this regulation. Any data processed without the consent of the data subject, unless for exceptions prescribed under the GDPR, shall amount to unlawful processing of data.
General Data Protection Regulation also requires every company dealing with personal data to appoint a data protection officer or a data controller. A data controller is a person who is responsible for GDPR compliance and determines the purpose and means for processing personal data. The data controller should be able to prove that the data subject has given consent. For that matter, consent should be clear and distinguishable from other matters. Under the GDPR, the data subject has a right to withdraw his or her consent at any time. This empowers the data subject to protect his personal information at any point in time. GDPR has put the interests and rights of data subjects at the upper hand when compared to the rights of controllers/processors.
The basic rights available to the data subjects under the GDPR are as follows:
GDPR is strict when it comes to the consent of data subjects. Data subjects can withdraw their consent at any point in time so it also requires organizations to seek consent at every step. This leads to separate consents being obtained for different processing activities. Therefore, under General Data Protection Regulation it is not sufficient to assume that consent has been granted or just adding a disclaimer is not sufficient. GDPR has increased the compliance process which has necessitated organizations to undergo changes in their processes and undertake new ways to collect information. Now the application forms have to be compliant with double opt-in rules. When the data subjects are filling out the form they have to fill the form and agree to the T&Cs and then confirm that it was their action in an accompanying e-mail. Further, the organization must be in a position to prove that consent was given in case a dispute arises. For this, the data held must have a time-stamped audit trail providing detailed information about the information that the data subject had consented to be collected.
Despite GDPR being an EU law, it has a far-reaching application beyond the EU borders. Every country foreign to the EU and doing business in the EU has to comply with GDPR. Outside the EU, the law will be applicable if any business is using the personal data of EU citizens for offering goods and services to them or for monitoring their online behaviour for developing a marketing strategy within the EU. Some points on how the GDPR has affected the functioning of businesses are as follows:
General Data Protection Regulation imposes a heavy penalty in cases of failure to comply with it. Fines up to 10 million euros or 2% of the total annual income of the previous year of a company, whichever is higher can be imposed. For severe violations, the fines can go up to 20 million euros or 4% of the total annual income of the company in the previous year, whichever is higher. The hefty compliance requirement and penalties have resulted in the exit of many android applications from the EU.
There are many benefits of the GDPR however, the most crucial benefits are as follows:
Since this law supersedes every other law, organizations cannot refer to backdated contracts. They are legally bound to undertake fresh contracts for obtaining fresh consent.
The disadvantages of GDPR are as follows:
Data privacy has become important in the digital world. General Data Protection Regulation may come with changes, costs, and complexities for businesses but it also creates opportunities. Businesses that comply with the GDPR prove that they value the privacy of individuals and are transparent about the use of data. General Data Protection Regulation does not intend to make business operations complex it only intends to put the interest of the data subjects on priority. So to sum it up, GDPR has some benefits and disadvantages. The advantages largely accrue to the data subjects. The disadvantages accrue largely to medium to small businesses.
Also Read:
Privacy Issues with Digital Identification and Verification
The Digital Personal Data Protection Bill, 2022: An Overview
Experiencing the loss of a loved one is one of the deepest emotional hardships a person can fac...
On January 16, 2025, the Reserve Bank of India (RBI) released the list of Non-Banking Financial...
Over the decades, the Oil and Natural Gas Corporation (ONGC) has been a key pillar in the portf...
The Reserve Bank of India, on April 11, 2025, posted a Press Release No. 2025-2026/96 on their...
Hong Kong is widely recognized as a leading global business hub, known for its free-market econ...