GDPR overview

Globally, Data Privacy and Data Protection regulations / frameworks are undergoing developments and major rehauls, with EU GDPR leading the way. For example, in addition to GDPR, the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks are designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. In India, formulation of an Indian Data Protection Law has gathered pace with a committee of experts led by Justice Srikrishna set to release its report on data protection and privacy by May 2018-end. Moreover, various countries have already in place their customized Data Privacy regulations – e.g. South Africa (POPI Act), Canada (PIPEDA), UK (DPA), Australia (Australian Privacy Principles) and USA (sector specific regulations).

The full text of GDPR regulation can be accessed online at Compared to its 2 decade old predecessor which was only a “Directive” (EU Data Protection Directive), GDPR is a EU “regulation” by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify personal data protection rules for all citizens of European Union (EU), as well as free movement of such data within internal / single market of EU. Also, Chapter 5 of GDPR discusses transfers of personal data of EU data subjects to third countries or international organisations. GDPR aims to give control back to EU citizens over their personal data, in terms of how it is collected, stored and processed by Private and Govt. organizations. There is no distinction between personal data about an individual in their private, public or work roles – all are covered by GDPR. Also, GDPR applies only to natural persons, and not to legal persons (organizations).

EU GDPR is coming into force on 25 May 2018, and is the strongest Data Protection / Privacy regulation till date. Contrary to popular belief that GDPR’s territorial scope ís confined to European Union countries or European Economic Area, GDPR actually has global ramifications. This is clearly indicated in Art. 3 GDPR. The recent Facebook-cambridge analytica scandal has only added fuel to the fire on Data Privacy and Protection issues.

As per Art. 6 GDPR, there are 6 lawful grounds on basis of which personal data of EU data subjects can be processed: Consent, performance of a contract, Legal/Regulatory obligation, protecting the vital interests of the data subject or of another natural person, performance of a task carried out in the public interest, and legitimate interest.

Under GDPR, Rights of data subjects are defined in granular detail in Chapter 3 GDPR. These rights are The right to Access, The right of Rectification, The right to Erasure / be Forgotten, Right to restriction of processing, Right to data portability,  Right to object, Rights Related To Automated Decision Making And Profiling.

GDPR regulation has the concept of Data Controllers and Processors. Data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; Data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data controller. The new accountability principle under GDPR requires a Data Controller to demonstrate that it complies with the Principles relating to processing of personal data, and states explicitly that it is his responsibility.

GDPR mandates each EU member state to establish one or more independent Supervisory Authority (SA) to hear and investigate complaints, sanction administrative offences, etc. SAs in each member state will cooperate with other SAs, providing mutual assistance and organizing joint operations. Where a business has multiple establishments in the EU, it will have a single SA as its “Lead authority (LA)”, based on the location of its “main establishment” (i.e., the place where its main processing activities take place). The lead authority will act as a “one-stop shop” to supervise all the processing activities of that business throughout the EU.

Article 29 Working Party (WP29) consists of representatives of all EU member state in current Data Protection Directive era, and has advisory powers. Further, post 25 May, WP29 will be replaced by a European Data Protection Board (EDPB) which will have more powers than its predecessor WP29.