What is the impact of the General Data Protection Regulation (GDPR) and How It can affect a Business?

Soniya Khanna

06 Jul, 2023

The EU adopted General Data Protection Regulation (GDPR) in 2016 which became effective on May 25, 2018. It is also known as the new European Privacy Regulation. The law contains 11 Chapters divided into 99 articles and it runs into 88 pages. It is applicable across European Union (EU) and European Economic Area^[1] (EEA). It harmonizes the right to protect personal data and the free flow of personal data. It protects the personal information of the citizens of the EU from being misused by a controller or processor established either within the EU and EEA or outside. So to continue functioning in the EU, foreign online businesses that operate in the EU and EEA shall have to abide by the General Data Protection Regulation.

As per GDPR, personal data means any information regarding a person such as a name, photo, email address, bank details, locations, computer IP address, etc of the person. GDPR provides greater control to its citizens over their personal data.

GDPR provides a wide range of rights to the citizens referred to as data subjects in GDPR. Rights that protect and prevent the processing of personal information without the consent of data subjects unless it is in the public interest or explicitly prescribed under General Data Protection Regulation. The personal data of a data subject can be processed only based on the consent, performance of a contract or legal obligation, vital interests of data subjects, public interest, and legitimate interest. The consent of the data subject plays a significant role under this regulation. Any data processed without the consent of the data subject, unless for exceptions prescribed under the GDPR, shall amount to unlawful processing of data.

General Data Protection Regulation also requires every company dealing with personal data to appoint a data protection officer or a data controller. A data controller is a person who is responsible for GDPR compliance and determines the purpose and means for processing personal data. The data controller should be able to prove that the data subject has given consent. For that matter, consent should be clear and distinguishable from other matters. Under the GDPR, the data subject has a right to withdraw his or her consent at any time. This empowers the data subject to protect his personal information at any point in time. GDPR has put the interests and rights of data subjects at the upper hand when compared to the rights of controllers/processors.

What are the basic rights guaranteed to data subjects under General Data Protection Regulation (GDPR)?

The basic rights available to the data subjects under the GDPR are as follows:

1. Right to access- It means that the data subjects have a right to access their personal data and they may also inquire how and where their data has been used by an organization after its collection.
2. Right to be forgotten- It means that the data subjects may at any time withdraw their consent from an organization to use their personal data and they also have a right to get their data deleted from the records of the organization.
3. Right to data portability- It means that the data subjects have the right to get their data transferred from one service provider to another service provider. However, the transfer should be done in a commonly used machine-readable format.
4. Right to be informed– It means that the data subjects should be informed about the collection of their personal data by the organization interested in collecting it. It is upon the data subjects to give their consent or not for the collection of their personal data. Further, consent should be granted freely and expressly.
5. Right to have the information corrected- It means that the data subjects have a right to get their personal data updated and corrected.
6. Right to restrict processing– It means that the data subjects have a right to withdraw their consent or decline the processing of their personal data at any point in time. There can be instances where consent for the collection of personal data is given by the data subject but not for processing. In such cases, the data can remain in place but cannot be processed.
7. Right to object- It means that the data subjects have the right to object or stop the processing of their data being used for direct marketing. Once a data subject objects, the processing should stop immediately. Further, an organization must make this right clear at the very beginning of any communication.
8. Right to be notified- It means that in the event of a breach of data which compromises a data subject’s personal data, he should be informed within 72 hours from the time of being aware of the breach.

What is the impact of the General Data Protection Regulation (GDPR)?

GDPR is strict when it comes to the consent of data subjects. Data subjects can withdraw their consent at any point in time so it also requires organizations to seek consent at every step. This leads to separate consents being obtained for different processing activities. Therefore, under General Data Protection Regulation it is not sufficient to assume that consent has been granted or just adding a disclaimer is not sufficient. GDPR has increased the compliance process which has necessitated organizations to undergo changes in their processes and undertake new ways to collect information. Now the application forms have to be compliant with double opt-in rules. When the data subjects are filling out the form they have to fill the form and agree to the T&Cs and then confirm that it was their action in an accompanying e-mail. Further, the organization must be in a position to prove that consent was given in case a dispute arises. For this, the data held must have a time-stamped audit trail providing detailed information about the information that the data subject had consented to be collected. 

How can the GDPR affect a business?

Despite GDPR being an EU law, it has a far-reaching application beyond the EU borders. Every country foreign to the EU and doing business in the EU has to comply with GDPR. Outside the EU, the law will be applicable if any business is using the personal data of EU citizens for offering goods and services to them or for monitoring their online behaviour for developing a marketing strategy within the EU. Some points on how the GDPR has affected the functioning of businesses are as follows:

• Businesses focus on building higher levels of service and trust.
• Prior consent from the data subjects is necessary before the collection of data.
• Businesses should develop a proper mechanism for data subjects to access their personal data.
• A business has to inform the data subjects in case of a security breach affecting their data.
• Businesses must take special care of the interest of the data subjects especially when the information collected relates to health, race, religion, political alignment, and sexual orientation.
• Businesses must provide the data objects the right to opt out of a process of collection and retention of data.
• Businesses must set up cyber insurance departments to protect the business against GDPR fines and penalties.
• Businesses have to make legal arrangements while transferring data outside the EU.

How are fines and penalties levied under General Data Protection Regulation (GDPR)?

General Data Protection Regulation imposes a heavy penalty in cases of failure to comply with it. Fines up to 10 million euros or 2% of the total annual income of the previous year of a company, whichever is higher can be imposed. For severe violations, the fines can go up to 20 million euros or 4% of the total annual income of the company in the previous year, whichever is higher. The hefty compliance requirement and penalties have resulted in the exit of many android applications from the EU.

What are the benefits of the General Data Protection Regulation (GDPR)?

There are many benefits of the GDPR however, the most crucial benefits are as follows:

1. Consent of the data subject plays a significant role
   The crux of the entire GDPR comes down to the consent of the data subjects. GDPR has made consent the basis for collecting and retrieving data from data subjects. There is no way a business can get over them with long contract clauses which the users do not read. GDPR has removed the concept of implied consent. Explicit consent is required for the collection and processing of information. Further, the GDPR will be applicable across the globe if the data belongs to an EU citizen.
2. Data subjects have a right to be forgotten
   A new right in the history of data protection that GDPR has incorporated in it is the right to be forgotten. This allows the data subjects to withdraw their personal data from the organization at any point in time. It gives data subjects full rights over the extent of use of their personal data. If at any time, the data subject changes his mind he can request the organization to delete the information. 

Since this law supersedes every other law, organizations cannot refer to backdated contracts. They are legally bound to undertake fresh contracts for obtaining fresh consent.

What are the disadvantages of the GDPR?

The disadvantages of GDPR are as follows:

1. Increase in spam
   Where GDPR aims to reduce spam, it has also become a cause of massive spamming by triggering several emails seeking consent for the use of data. This makes it difficult for customers to differentiate the details and they end up blindly clicking on the T&Cs defeating the very purpose of the GDPR.
2. Complex and expensive
   GDPR increases the complexity of business and makes compliance expensive. Larger businesses may find it easier to adopt due to the availability of funds to adopt as per GDPR however, small business face difficulties making it harder for them to compete with larger businesses.

Conclusion

Data privacy has become important in the digital world. General Data Protection Regulation may come with changes, costs, and complexities for businesses but it also creates opportunities. Businesses that comply with the GDPR prove that they value the privacy of individuals and are transparent about the use of data. General Data Protection Regulation does not intend to make business operations complex it only intends to put the interest of the data subjects on priority. So to sum it up, GDPR has some benefits and disadvantages. The advantages largely accrue to the data subjects. The disadvantages accrue largely to medium to small businesses.

Also Read:
Privacy Issues with Digital Identification and Verification
The Digital Personal Data Protection Bill, 2022: An Overview