GENERAL DATA PROTECTION

REGULATION

ASHISH SANDAPU - 190103191

What is GDPR?
General Data Protection Regulation (GDPR) is consists of rules and regulations implemented
to give the European Union (EU) more citizens control over personal data. It simplifies the
regulatory environment to make it easier for both citizens/ consumers and businesses to
benefit fully from the digital economy. 
The European Commission set out to make changes in data protection across the European
Union to make Europe' ready for the digital age'. The GDPR was one of the critical
components of the reform set up in April 2016 and applies to organizations in all the
member states across Europe. It replaced the Data Protection Directive 95/46/ec in Spring
2018 as the primary law protecting EU citizen's data. The reforms are designed to reflect the
current world situation and bring obligations (for personal data, consent, and privacy). 
Today, almost every part of our lives rotates around the collection of data and data transfer.
Nearly every service - social media sites, banks, retailers, and governments - we use involves
the collection of personal data. These include the collection of your name, family details,
address, phone numbers, credit card details, and more. Perhaps more importantly, this data
is also stored by organizations. However, during this process, data breaches may occur, and
this is where GDPR comes in. Under the GDPR, not only do organizations have to ensure a
legal collection of data, but they also ensure that this data is protected from misuse and
exploitation or face a penalty for failing to do so.
 
GDPR compliance:
The GDPR mandates a set of standards for companies to safeguard the collection and
organization of personal data. The purpose of the GDPR is to implement a uniform data
security law across all EU members.

A few of the essential requirements include:

1. Requiring the consent of the data owner for data processing.
2. Making the collected data anonymous to protect privacy.
3. Notify the users about data breaches on time.
4. Safe handling of data transfers across borders.
5. Appoint an officer or team to oversee GDPR compliance by individual companies.

Who is subject to GDPR compliance?

GDPR is valid for all organizations operating within the EU, along with foreign organizations
that provide products and services to consumers or organizations in the EU. So, all major
global firms need to be GDPR compliant to continue operations in Europe. 
There are two types of data handlers compliant to the GDPR:
 1. Controllers - A controller is the leading party Considered the most responsible
regarding privacy protection and must ensure lawfulness, fairness, and transparency
while collecting data. They also must manage all the data processing activities from
all the processors and provide to the authorities when required. Controllers also
must ensure that all contracts with processors comply with the GDPR .
2. Processors - The processor is a person or team who has a legal obligation of
maintaining records of how the data is processed, also providing a higher level of
legal liability should an organization be breached. It is a third party that reports how
and why the data is being processed. They must provide a specific reason beyond
which they cannot use the data. They also must maintain a list of all the processing
activities and provide it to the controllers when required.

For example, consider you have purchased an object from Amazon. The website collects
personal information through consent from the consumer like the name, phone number,
address, and credit card number. They also ask permission whether this information has to
be stored or not. Here, the website operator is the 'Controller,' and the one who processes
this information for the purchase to be delivered is the 'Processor.'
 
Basic Principles to be followed by companies under GDPR:
1. Lawfulness, fairness, and transparency - The organization should process each data
in a lawful, fair, and transparent manner.
2. Purpose limitation - The organization should make sure that the data is collected for
the specified purpose legitimately and should not be processed for any other
purpose.
3. Data Minimisation - Data collected should be adequate, relevant, and limited to the
essential purpose.
4. Accuracy - Data should be accurate and up to date. Inaccurate data should be
processed and rectified without delay.
5. Storage Limitation - Data should be kept in a way that permits identification and is
not stored for longer than the required purpose.
6. Integrity and confidentiality - The organization has to ensure that personal data is
secured, including protection against unauthorized or unlawful processing.  
7. Accountability - The organization should be accountable for lost data or unlawful
access to information.
 
Rights are given to every EU citizen by GDPR:

1. Right to be Informed - Transparency and choice are quite crucial under the GDPR act.
The Right to be Informed allows the individual to be informed about the collection
 and purpose of personal data. The individual has to be informed about the purpose
and the retention period of the data, and with whom it will be shared.
2. Right to Access - The Right to Access is to ensure that the individual providing
personal data can be aware of and can verify which part of the data is being
processed and that it is being done legally.
3. Right to Rectification - This allows the individual to rectify data verbally or through
writing and make sure that it is done swiftly, clearly, and without undue delay.
4. Right to Erasure - The individual has the right to decide the deletion of specific
personal data. The data can be erased if the purpose of the data is complete, the
individual doesn't provide consent or objects to it, or the organization has processed
data unlawfully.
5. Right to Restriction and Processing - Individuals have the right to restrict the process
of the provided data if they have a particular reason for wanting the restriction over
the information that was earlier shared through consent.
6. Right to Data Portability - This right allows individuals to ask for the transfer of
personal data or to obtain and reuse the data for their purposes.
7. Right to Object - The individual has the right to object the processing of personal
data for direct marketing purposes at any point in time.
8. Rights related to automated decision-making, including profiling - The request is a
safeguard against an adverse decision that may be taken without human
intervention.
  
GDPR Preparation Checklist:
There are five steps to prepare for this purpose:
1. Appoint a GDPR lead or team to review Data handling processes: The organization
should appoint a team with authority to review the data handling processes. They
must ensure:
a. Review of current mailing lists – Check data for records of consent and separate
automated list of permissions and remove individuals without a proactive consent notice.
b. Document the collected data – Make steps to document the data and make sure no
information is accidentally missing and ensure that the data has been collected by consent.
c. Communicate about the seriousness of GDPR with the team – Ensure that the team
members understand the result of not following the laws of the GDPR act.
1. Take actions while collecting personal data by providing precise consent wording and
create an age verification process.
2. Actively manage existing leads in a database: The organization must regularly
maintain the existing data and send verification emails about consent and create
communication centres for consumers to manage their communication processes.
3. Periodically update the privacy policy and notify proactively.
 4. Design a data breach plan and ensure that the data breach is reported within 72
hours. Some steps to be carried out are:
 . Train employees on how to respond or assist consumers facing problems.
a. Have a social media plan and train employees to respond to social posts.
b. Notify the consumers who lost data and publish information as quickly as possible about
the data breach.
c. Assist consumers suffering from data loss.
 
GDPR Penalties and Fines:
the penalties and fines are quite stiff in the GDPR, along with greater power given to
national authorities in case of unlawful practices. The GDPR keeps a maximum fine of 20
million or 4% of annual turnover - whichever is greater.
The national authorities can also take actions like:
1. Issue warnings and reprimands.
2. Impose a temporary ban on processing data.
3. Order restriction, rectification, and erasure of data.
4. Suspend data transfers.
The organization will be penalized based on several factors, including the nature of the
problem, the intentionality of the action, previous issues, the data involved, and the process
of discovery.
 
How does GDPR impact the Digital marketing world?
GDPR has played quite an important role in improving the security of data and ensuring data
privacy. Below are a few ways in which it has affected the digital world:
1. Consumer Power: GDPR is focused on providing more power to the consumer by granting
them more rights. The companies must obtain personal data through consent and in a fair,
detailed, and transparent manner from the beginning. The organization must hold
accountable for any data loss, and the consumer can be sure that their data is secured.
For example, 
- When you enter Google, it always asks permission to sign in or license for the user's
location. 
- Take a social media app such as Instagram; it always asks permission for storage, camera,
location, and so on from the user. 
- While purchasing or downloading an app from iOS or play store, it asks permission to
access various data like location, storage, etc. 
This shows that the consumer has the right to allow access to his/ her data.
 
2. Appropriate Tools and Technology are provided: GDPR has made market efforts more
difficult and expensive. However, these investments are relatively minuscule as compared to
the penalties and fines that GDPR implements due to non-compliance. The organization
must ask consent, provide information about how this data is being used, and prevent the
breach. So, organizations need to employ systems to monitor the processes conducted on
data at all stages. The organization can also store data and provide services to customers
based on their interests.
For example, every website asks permission to store cookies, which consists of data related
to your interests. So, it shows items of your interests.
 
3. Targeted and Personalized Advertisements for Customers: The data collected by some
organizations through consent is used to provide the consumers with the latest information
about the goods and services. This has helped firms improve sales and has provided a more
personalized experience for consumers. A smaller target market has helped organizations
cut down budgets on marketing and help them target consumers interested in their
product. GDPR has forced companies to adopt a user-centred approach and focus on users'
interest in the ads they send to users.
For example,
- Airline services collect data on consumers through consent and provide information on
cheaper flights through mail to make the consumer aware of such offers.
- Useful providing websites like amazon, flip kart, etc. collect cookies, and the next time the
consumer visits the website, it provides goods that are of interest to the consumers.
- Relevant content searched by the user can take permission to send emails to the consumer
who also has the option to be unsubscribed.
 
4. More equitable advertising space and usage of contextual advertising: Many websites
must make sure that the data they have collected can be transferred or managed by the
consumer for using another service. Contextual advertising refers to the appearance of ads
based on what the consumer is looking at. The ads appear in such a way that they seem to
be a part of the page which is being browsed.
For example, 
- The data collected by Google or Facebook now can be shared with competing service if the
individual requires it. This allows the other benefits to also advertise their product to the
consumer based on behavioural traits.
- Suppose a person has seen an ad of running shoes on a newspaper website like 'The
Hindu', then the website provides an ad of amazon showing different prices for the running
shoes. This gives an example of contextual based advertising.
 
Conclusion:
The GDPR provides an example of an adequate and relevant policy for consumer data
protection. While it may cause complexities to some organizations due to cost, maintenance
and providing services to users, the organization needs to abide by the rules and regulations
provided by the GDPR act to protect consumer data and ensure consumer loyalty. The
investments in providing these services are also relatively small compared to the fines and
penalties imposed by the GDPR act. So, all organizations within the European Union (EU)
and foreign companies in ties with businesses and companies within the EU have to comply
with the rules and regulations set down by the General Data Protection Regulations (GDPR).
 
References:
1. https://www.targetintegration.com/8-rights-by-gdpr-to-eu-citizen/
2. https://digitalguardian.com/blog/what-gdpr-general-data-protection-regulation-
understanding-and-complying-gdpr-data-protection
3. https://www.uhi.ac.uk/en/about-uhi/governance/policies-and-regulations/data-
protection/the-seven-principles/
4. https://www.zdnet.com/article/the-five-step-gdpr-preparation-checklist-for-marketing-
organizations/
5. https://www.zdnet.com/article/gdpr-an-executive-guide-to-what-you-need-to-know/
6. https://gdpr.eu/checklist/
7. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-
protection-regulation-gdpr/principles/
8. https://www.itgovernance.co.uk/dpa-and-gdpr-penalties
9. https://digitalmarketinginstitute.com/blog/gdpr-and-digital-marketing-how-your-
company-will-be-affected
10. https://hbr.org/2018/05/how-gdpr-will-transform-digital-marketing
11. https://advisera.com/eugdpracademy/blog/2019/02/20/how-does-gdpr-affect-digital-
marketing/#:~:text=The%20GDPR%20has%20strengthened%20the,with%20your%20digital
%20marketing%20activities/
12. https://www.privacypolicies.com/blog/gdpr-digital-marketing/