Mengenal Arti Apa itu GDPR dan Penerapannya sebagai Undang-undang ITE Internasional - MindaFilm

Mengenal Arti Apa itu GDPR dan Penerapannya sebagai Undang-undang ITE Internasional

Belum lama ini dunia digegerkan dengan kasus penyalahgunaan data pengguna Facebook oleh lembaga analisis Cambridge Analytica. Bos Facebook Mark Zuckerberg berjanji memperbaiki sistem privasi penggunanya sehingga penyalahgunaan data tak akan terulang lagi.

Sebelum Facebook menyatakan komitmen tersebut, Uni Eropa telah menekankan pentingnya perlindungan data pengguna internet yang tertuang dalam GDPR (General Data Protection Regulation). Pada 25 Mei mendatang, peraturan ini akan berlaku efektif di seluruh dunia.

Seluruh perusahaan yang menyimpan data warga Uni Eropa wajib tunduk pada regulasi tersebut. Inggris yang telah keluar dari Uni Eropa juga memiliki aturan sendiri yang tertuang dalam Data Protection Bill yang isinya kurang lebih sama dengan GDPR. Lalu, apa dampak yang ditimbulkan dengan pemberlakuan GDPR?

Jangan berfikir GDPR hanya berlaku bagi perusahaan yang berbasis di Eropa. GDPR juga wajib ditaati bagi perusahaan di luar Eropa yang ingin memanfaatkan data warga Uni Eropa misalnya untuk kepentingan penyebaran iklan. Dilansir dari laman Mirror, ada 99 pasal dalam GDPR yang mengatur hak pemilik data serta kewajiban yang harus dilakukan penyimpan data jika ingin memanfaatkan data tersebut.

Dalam GDPR disebutkan data-data personal tidak boleh dimanfaatkan apabila sang pemilik data belum memberikan izin. Bagi konsumen, kebijakan ini memberikan perlindungan bagi mereka agar data-datanya tidak dimanfaatkan di ranah yang tidak mereka sukai. Konsumen juga dapat meminta copy datanya ke perusahaan atau organisasi tanpa dipungut biaya sepeser pun.

Dengan perlindungan tersebut, kotak masuk email konsumen tidak akan lagi dibanjiri iklan-iklan dari e-commerce sebagaimana yang jamak terjadi saat ini. Namun di lain pihak, penerapan GDPR membawa konsekuensi finansial terhadap perusahaan atau organisasi penyimpan data.

Perusahaan mau tak mau harus menyiapkan dana ekstra untuk menjaga kerahasiaan data konsumen. Namun anggaran itu lebih hemat daripada nantinya terjadi kebocoran data. Apabila terjadi kebocoran data, maka perusahaan dikenai denda 20 juta Euro atau empat persen dari pendapatan global. Kasus kebocoran data yang lebih kecil akan dikenai denda 10 juta Euro atau dua persen dari pendapatan global perusahaan.

Akan tetapi GDPR juga dipandang sebagai momen yang tepat untuk meningkatkan relasi antara perusahaan dengan konsumen. "GDPR adalah kesempatan bagus untuk meyakinkan konsumen dan belajar dengan lebih dekat bagaimana data dikumpulkan dan disimpan. Kebijakan ini juga menyiapkan dunia yang semakin memandang data sebagai aset berharga," kata Juerg Birri, Global Head of Legal Service di lembaga audit dan penasehat firma Swedia KPMG.

Inilah Undang-undang GDPR itu

What is the GDPR?

The EU’s General Data Protection Regulation (GDPR) was introduced to unify all EU member states' approaches to data regulation, ensuring all data protection laws are applied identically in every country within the EU. It will protect EU citizens from organisations using their data irresponsibly and puts them in charge of what information is shared, where and how it's shared.

The GDPR is due to come into force on 25 May - and even though the UK is due to leave Europe in the next 12 months, it will still apply to all businesses handling EU residents' data, effectively replacing the Data Protection Act 1998.

Complying with GDPR is vital. Any business found not sticking to the rules could be charged fines of up to €20 million or 4% of the company's global annual turnover, though the toughest fines will be reserved for the worst data breaches or data abuse.
Why was the GDPR drafted?

The GDPR was created to regulate how businesses use data, ensuring it's the same across the entire EU. Although it will apply to smaller businesses as well as large corporations, recent stories, such as the Cambridge Analytica scandal, have demonstrated how big organisations such as Amazon, Google, Twitter and Facebook are not strictly complying to a single set of rules.

The Data Protection Act 1998, the UK's interpretation of the EU's Data Protection Directive 1995, wasn't envisaged with contemporary uses of data enabled by the internet and cloud, with people exchanging their personal data for use of 'free' services provided by the likes of Google, Twitter and Facebook, and GDPR aims to rectify this.

The second driver is the EU's desire to give organisations more clarity over the legal environment that dictates how they can behave. By making data protection law identical throughout member states, the EU believes this will collectively save companies €2.3 billion annually. It should make complying less onerous for businesses, with them only required to meet one set of rules, compared to dozens of different implementations of the EU's Data Protection Directive 1995.
How can you ensure your email archives are secure and GDPR compliant? Learn more about rethinking your customer data silos for GDPR in this free webinar.

Watch now
When will the GDPR apply?

The GDPR will apply in all EU member states from 25 May 2018. Because GDPR is a regulation, not a directive, the UK does not need to draw up new legislation - instead, it will apply automatically. While it came into force on 24 May 2016, after all parts of the EU agreed to the final text, businesses and organisations have until 25 May 2018 until the law actually applies to them.

While the overwhelming majority of IT security professionals are aware of GDPR, just under half of them are preparing for its arrival, according to a snap survey of 170 cyber security staff by Imperva.

Just 43% are assessing GDPR's impact on their company and changing their practices to stay in step with data protection legislation, Imperva found. While the respondents were mostly US-based, they would still be hit by GDPR if they handle - or contract another firm to handle - EU citizens' personal data.

Despite this, nearly a third said they are not preparing for the incoming legislation, and 28% said they were ignorant of any preparations their company might be doing.
So who does the GDPR apply to?

'Controllers' and 'processors' of data need to abide by the GDPR. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. So the controller could be any organisation, from a profit-seeking company to a charity or government. A processor could be an IT firm doing the actual data processing.

Even if controllers and processors are based outside the EU, the GDPR will still apply to them so long as they're dealing with data belonging to EU residents.

It's the controller's responsibility to ensure their processor abides by data protection law and processors must themselves abide by rules to maintain records of their processing activities. If processors are involved in a data breach, they are far more liable under GDPR than they were under the Data Protection Act.
When can I process data under the GDPR?

Once the legislation comes into effect, controllers must ensure personal data is processed lawfully, transparently, and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted.
What do you mean by 'lawful'?

'Lawfully' has a range of alternative meanings, not all of which need apply. Firstly, it could be lawful if the subject has consented to their data being processed. Alternatively, lawful can mean to comply with a contract or legal obligation; to protect an interest that is "essential for the life of" the subject; if processing the data is in the public interest; or if doing so is in the controller's legitimate interest - such as preventing fraud.

At least one of these justifications must apply in order to process data.
How do I get consent under the GDPR?

Consent must be an active, affirmative action by the data subject, rather than the passive acceptance under some current models that allow for pre-ticked boxes or opt-outs.

Controllers must keep a record of how and when an individual gave consent, and that individual may withdraw their consent whenever they want. If your current model for obtaining consent doesn't meet these new rules, you'll have to bring it up to scratch or stop collecting data under that model when the GDPR applies in 2018.
What counts as personal data under the GDPR?

The EU has substantially expanded the definition of personal data under the GDPR. To reflect the types of data organisations now collect about people, online identifiers such as IP addresses now qualify as personal data. Other data, like economic, cultural or mental health information, are also considered personally identifiable information.

Pseudonymised personal data may also be subject to GDPR rules, depending on how easy or hard it is to identify whose data it is.

Anything that counted as personal data under the Data Protection Act also qualifies as personal data under the GDPR.
When can people access the data we store on them?

Under the aim of giving people more control over their information, GDPR ensures people can ask to access their data at "reasonable intervals", with controllers having a month to comply with these requests. Both controllers and processors must make clear how they collect people's information, what purposes they use it for, and the ways in which they process the data. The legislation also says that firms must use plain language to convey these things clearly and coherently to people: it's time to wave goodbye to those confusing, dense terms and conditions.

People have the right to access any information a company holds on them, and the right to know why that data is being processed, how long it's stored for, and who gets to see it. Where possible, data controllers should provide secure, direct access for people to review what information a controller stores about them.

They can also ask for that data, if incorrect or incomplete, to be rectified whenever they want.
What's the 'right to be forgotten'?

GDPR makes it clear that people can have their data deleted at any time if it's not relevant anymore - i.e. the company storing it no longer needs it for the purpose they collected it for. If the data was collected under the consent model, a citizen can withdraw this consent whenever they like. They might do so because they object to how an organisation is processing their information, or simply don't want it collected anymore.

The controller is responsible for telling other organisations (for instance, Google) to delete any links to copies of that data, as well as the copies themselves.
What if they want to move their data elsewhere?

Then you have to let them - and swiftly: the legislation means citizens can expect you to honour such a request within four weeks. Controllers must ensure people's data is in an open, common format like CSV, meaning that when it moves to another provider it can still be read.
What if we suffer a data breach?

It's your responsibility to inform your data protection authority of any data breach that risks people's rights and freedoms within 72 hours of your organisation becoming aware of it. The UK authority is the Information Commissioner's Office. Information commissioner Elizabeth Denham believes the authority needs more resources to cope with policing GDPR, and responding to organisations who notify it of breaches. In March 2017, she told the EU Home Affairs Sub-Committee that more funding was necessary to recruit and retain skilled people.

That deadline is tight enough to mean that you probably won't know every detail of a breach after discovering it. However, your initial contact with your data protection authority should outline the nature of the data that's affected, roughly how many people are impacted, what the consequences could mean for them, and what measures you've already actioned or plan to action in response.

But even before you call the data protection authority, you should tell the people affected by the data breach. Those who fail to meet the 72-hour deadline could face a penalty of up to 2% of their annual worldwide revenue, or €10 million, whichever is higher.

If you don't follow the basic principles for processing data, such as having a legal basis for doing so, ignore individuals' rights over their data, or transfer data to another country, the fines are even worse. Your data protection authority could issue a penalty of up to €20 million or 4% of your global annual turnover, whichever is greater.

If you take recently issued fines issued by the ICO - which can hand out a maximum penalty of £500,000 - and scale them up under GDPR, you can see how much tougher the penalties for getting data protection wrong could soon become.

So under GDPR, TalkTalk's record £400,000 fine would actually total £59 million - that's a pretty big chunk of the telco's third quarter 2016 revenue, which was £435 million. Meanwhile, the ICO's total issued fines for 2016, which amounted to £880,500, would become £69 million from 25 May 2018, according to risk mitigation firm NCC Group - 79 times higher.

However, it's important to note that while the maximum fines that can be issued will become much higher under GDPR, the legislation stipulates that they must remain "proportionate" to the breach. Also, if you can demonstrate that you work hard to ensure your organisation is compliant with GDPR, the ICO would likely not issue as high a fine in the event of a breach as it would otherwise.
But what about Brexit?

Yes, the UK is leaving the EU – but because the UK government only triggered Article 50 in March 2017, which sets in motion the act of leaving the EU within a two-year timeframe (though it could take longer), this means  GDPR will take effect before the legal consequences of the Brexit vote, meaning the UK must still comply.

A new Data Protection Bill, put forward by the UK government in August 2017, essentially replicates the requirements of GDPR into UK legislation, meaning those compliant with GDPR should be compliant with the new UK data protection law.

Much like the stipulations of GDPR, the bill sets out sanctions for non-compliant organisations, permitting the Information Commissioner's Office (ICO) to issue fines of up to £17 million, or 4% of global turnover, whichever is highest (compared to €20 million or 4% of turnover under GDPR).

It also provides provisions for the right to be forgotten, adding the ability for data subjects to demand social media companies erase any posts they made during childhood, a good opportunity for embarrassed adults to delete things they said in their teenage years.

The bill also proposes to modernise current data protection regulations by expanding the definition of personal data to include IP addresses, internet cookies, and DNA.

By aligning with GDPR, the UK hopes to build an enhanced data protection mechanism that goes beyond the adequacy model the EU imposes on 'third' countries, allowing personal data to flow freely between the UK and EU.

Digital minister Matt Hancock said: "Bringing EU law into our domestic law will ensure that we help to prepare the UK for the future after we have left the EU. We are committed to ensuring that uninterrupted data flows continue between the UK and the EU and other countries around the world."

Tech industry bodies took it upon themselves to warn off government ministers from diverging from the EU's data protection rules in an open letter published in February 2018.

The letter responded to ministers' suggestions that the UK might gain a commercial advantage from taking a less stringent approach to data protection than that outlined under GDPR.

"UK tech companies are clear that this is not a view held by the sector, which sees the UK's implementation of GDPR as a key pillar to the future success of the digital economy," wrote TechUK CEO Julian David, whose lobby group represents hundreds of UK technology firms, in a letter addressed to international trade secretary Liam Fox.

David pointed out that with GDPR applying to any organisation processing or using EU residents' personal data from 25 May 2018, companies are already busy preparing for the legislation.

"Disrupting GDPR implementation would not be welcomed by businesses," he added. "There is no desire for another wholesale revision of data protection rules any time soon."

Apart from explaining that GDPR puts people at the heart of data protection, David also argued that aligning with the legislation is an essential step in producing data protection legislation once Britain exits the EU.

The government is already working on a new Data Protection Bill that effectively replicates GDPR into UK law, and David said such a step is crucial for the UK's economic success.

He added: "The tech sector is clear that diverging from EU data protection post-brexit is neither desirable nor helpful. The GDPR represents a high standard of protection for citizens' information, which will help build trust in the digital economy."

Is the Investigatory Powers Act compatible with GDPR?

However, what's unclear is whether other new legislation will be deemed compatible with GDPR once the UK leaves the EU. For example, under the UK's Investigatory Powers Act, ISPs are compelled to collect personal web histories and hold them for up to 12 months. The government is currently having to rewrite some of these laws after identical powers in old DRIPA legislation were found to be illegal.

But Hancock wrote in October 2017 that "UK national security legislation should not present a significant obstacle to data protection negotiations."
1482247569779Do we need a data protection officer?

Any public body carrying out data processing needs to employ a data protection officer, as do companies whose core activities involve data processing that requires they regularly monitor individuals "on a large scale", according to the GDPR legislation, though public bodies are at an advantage, in that several can share the same data protection officer. Organisations should give the contact details of this person to their data protection authority.

The data protection officer's job is to inform and advise the organisation about meeting GDPR requirements, and monitoring compliance. They'll also act as the data protection authority's primary point of contact, and will be expected to cooperate with the authority. Read a bit more about the role here.

Alright, so how do we go about meeting the GDPR requirements?

First of all, give this in-depth article a read; it explains exactly how you can get ready for GDPR.

The best advice is to start preparing for it as early as possible - 25 May 2018 might sound far away, but there's a lot to get right. Immediately, you should seek to employ a data protection officer if necessary, and check the current state of your data protection rules and policies, particularly consent.

Anthony Merry, head of data protection at Sophos, said firms should start by reviewing the current state of their data protection policies, before updating them.
See related
GDPR preparation: 2018 data protection changes
How to get ready for GDPR
What is a data protection officer?

"Businesses need to review their data protection policies and technology to check they are compliant, and should not be shy of reaching out to their local regulatory body or to a trusted consultant for advice to ensure they get it right," he said. "Be proactive and protect the data you hold, encrypt it and always keep up to date with your security solutions. Data breaches occur every day - and the EU have just increased the consequences of inadequate security."

The issue, however, is how long such a process will take.

Justin Tivey, legal director at law firm Bond Dickinson, said it is crucial companies start now to get their policies into shape.

"The two-year implementation period may sound relaxed but it will only be so for those who start to tackle the issues raised by the GDPR now," he said.

"Organisations need to start by understanding what data they acquire, hold and process and the legal basis for that. Privacy needs to be designed into systems and processes and respect for data subject rights needs to be stepped up. Policies and procedures for handling any security breaches needs to be in place. At its heart however, data protection is about the same issues - understanding what data you hold and why."

Then work out what procedures you need to adopt, or update, to comply. Introduce these as quickly as possible so you can start educating your workforce about them.

If you work with any third-party suppliers who would count as processors, check what their data protection policies are and whether they comply - if they don't, it might be time to tender again.

It's also worth looking out for technology that will help you meet requirements around data deletion and data portability.
Mengenal Arti Apa itu GDPR dan Penerapannya sebagai Undang-undang ITE Internasional Mengenal Arti Apa itu GDPR dan Penerapannya sebagai Undang-undang ITE Internasional Reviewed by Admin on October 04, 2018 Rating: 5

No comments:

Powered by Blogger.