Understanding the General Data Protection Regulation (GDPR)

The GDPR, or the Datenschutz Grundverordnung (DSGVO) in German, might well be one of the most groundbreaking pieces of legislations of the EU which directly or indirectly affects not just EU citizens, but internet-users all across the globe. However, to make it a real success, one of the most important factors is that we must be better informed and aware of the provisions of this directive.

GDPR is the first genuine effort to unify the plethora of disparate privacy regulations put forward by different regulatory bodies. It aims to not only give more control over their personal data to the citizens, but also make conformance for businesses easier by defining unified guidelines. It also presses businesses, especially those dealing with sensitive personal data, to build their information systems in a way that confirms with Privacy by Design. These regulations aim to ensure a more transparent handling and processing of personal data, and create an environment of trust and awareness on both sides, i.e., the data owner as well as the controllers/processors.

GDPR mandates that the highest privacy settings be used by default, and ‘explicit and verifiable’ consent be taken from the subject, and at the same time, also bestows the Right to Access and the Right to Erasure, which enables more transparency and accountability while handling personal data. The penalties for non-conformance are major enough that all kinds of companies, from small start-ups to large corporations, must take efforts and steps to follow these regulations.

To provide a brief introduction to the topic, I wrote a small paper, which can be found here. Hopefully, this helps in providing a more comprehensive understanding of the provisions of this law, without using a lot of legal jargon. Indeed, the technology that enables the GDPR is nothing new, and has existed for decades, including our encryption methods. However, the rise of internet users, and the importance of data in the current times has necessiated this urgent push.

It remains to be seen how citizens and businesses react to the GDPR. Many businesses have vol- untarily extended the coverage of the GDPR to non-European citizens as well, which is certainly a bright spot. The effort itself, after years of deliberations in the EU Parliament, on a subject that is important, and yet so personal, is commendable. To make it successful, we will have to work together and ensure a higher awareness amongst internet-users regarding the GDPR itself, and to use their consent in a judicious and privacy-aware manner. Privacy awareness will surely lead to a safer internet, with lesser instances of spillage of personal information. Our politicians have taken the first step towards providing us some guarantees and control over how our personal information is used. Now, the ball is in our court.