Mengenal Arti Apa itu GDPR dan Penerapannya sebagai Undang-undang ITE Internasional

Belum lama ini dunia digegerkan dengan kasus penyalahgunaan data pengguna Facebook oleh lembaga analisis Cambridge Analytica. Bos Facebook Mark Zuckerberg berjanji memperbaiki sistem privasi penggunanya sehingga penyalahgunaan data tak akan terulang lagi.

Sebelum Facebook menyatakan komitmen tersebut, Uni Eropa telah menekankan pentingnya perlindungan data pengguna internet yang tertuang dalam GDPR (General Data Protection Regulation). Pada 25 Mei mendatang, peraturan ini akan berlaku efektif di seluruh dunia.

Seluruh perusahaan yang menyimpan data warga Uni Eropa wajib tunduk pada regulasi tersebut. Inggris yang telah keluar dari Uni Eropa juga memiliki aturan sendiri yang tertuang dalam Data Protection Bill yang isinya kurang lebih sama dengan GDPR. Lalu, apa dampak yang ditimbulkan dengan pemberlakuan GDPR?

Jangan berfikir GDPR hanya berlaku bagi perusahaan yang berbasis di Eropa. GDPR juga wajib ditaati bagi perusahaan di luar Eropa yang ingin memanfaatkan data warga Uni Eropa misalnya untuk kepentingan penyebaran iklan. Dilansir dari laman Mirror, ada 99 pasal dalam GDPR yang mengatur hak pemilik data serta kewajiban yang harus dilakukan penyimpan data jika ingin memanfaatkan data tersebut.

Dalam GDPR disebutkan data-data personal tidak boleh dimanfaatkan apabila sang pemilik data belum memberikan izin. Bagi konsumen, kebijakan ini memberikan perlindungan bagi mereka agar data-datanya tidak dimanfaatkan di ranah yang tidak mereka sukai. Konsumen juga dapat meminta copy datanya ke perusahaan atau organisasi tanpa dipungut biaya sepeser pun.

Dengan perlindungan tersebut, kotak masuk email konsumen tidak akan lagi dibanjiri iklan-iklan dari e-commerce sebagaimana yang jamak terjadi saat ini. Namun di lain pihak, penerapan GDPR membawa konsekuensi finansial terhadap perusahaan atau organisasi penyimpan data.

Perusahaan mau tak mau harus menyiapkan dana ekstra untuk menjaga kerahasiaan data konsumen. Namun anggaran itu lebih hemat daripada nantinya terjadi kebocoran data. Apabila terjadi kebocoran data, maka perusahaan dikenai denda 20 juta Euro atau empat persen dari pendapatan global. Kasus kebocoran data yang lebih kecil akan dikenai denda 10 juta Euro atau dua persen dari pendapatan global perusahaan.

Akan tetapi GDPR juga dipandang sebagai momen yang tepat untuk meningkatkan relasi antara perusahaan dengan konsumen. “GDPR adalah kesempatan bagus untuk meyakinkan konsumen dan belajar dengan lebih dekat bagaimana data dikumpulkan dan disimpan. Kebijakan ini juga menyiapkan dunia yang semakin memandang data sebagai aset berharga,” kata Juerg Birri, Global Head of Legal Service di lembaga audit dan penasehat firma Swedia KPMG.

Inilah Undang-undang GDPR itu

What is the GDPR?
The EU’s General Data Protection Regulation (GDPR) was introduced to unify
all EU member states’ approaches to data regulation, ensuring all data
protection laws are applied identically in every country within the EU. It will
protect EU citizens from organisations using their data irresponsibly and puts
them in charge of what information is shared, where and how it’s shared.
The GDPR is due to come into force on 25 May – and even though the UK is
due to leave Europe in the next 12 months, it will still apply to all
businesses handling EU residents’ data, effectively replacing the Data
Protection Act 1998.
Complying with GDPR is vital. Any business found not sticking to the rules
could be charged fines of up to €20 million or 4% of the company’s global
annual turnover, though the toughest fines will be reserved for the worst data
breaches or data abuse.
Why was the GDPR drafted?
The GDPR was created to regulate how businesses use data, ensuring it’s the
same across the entire EU. Although it will apply to smaller businesses as well
as large corporations, recent stories, such as the Cambridge Analytica scandal,
have demonstrated how big organisations such as Amazon, Google, Twitter and
Facebook are not strictly complying to a single set of rules.
The Data Protection Act 1998, the UK’s interpretation of the EU’s Data
Protection Directive 1995, wasn’t envisaged with contemporary uses of data
enabled by the internet and cloud, with people exchanging their personal data
for use of ‘free’ services provided by the likes of Google, Twitter and
Facebook, and GDPR aims to rectify this.
The second driver is the EU’s desire to give organisations more clarity
over the legal environment that dictates how they can behave. By making data
protection law identical throughout member states, the EU believes this will
collectively save companies €2.3 billion annually. It should make complying
less onerous for businesses, with them only required to meet one set of rules,
compared to dozens of different implementations of the EU’s Data Protection
Directive 1995.
How can you ensure your email archives are secure and GDPR compliant? Learn
more about rethinking your customer data silos for GDPR in this free webinar.
Watch now
When will the GDPR apply?
The GDPR will apply in all EU member states from 25 May 2018. Because GDPR
is a regulation, not a directive, the UK does not need to draw up new
legislation – instead, it will apply automatically. While it came into force on
24 May 2016, after all parts of the EU agreed to the final text, businesses and
organisations have until 25 May 2018 until the law actually applies to them.
While the overwhelming majority of IT security professionals are aware of
GDPR, just under half of them are preparing for its arrival, according to a
snap survey of 170 cyber security staff by Imperva.
Just 43% are assessing GDPR’s impact on their company and changing their
practices to stay in step with data protection legislation, Imperva found.
While the respondents were mostly US-based, they would still be hit by GDPR if
they handle – or contract another firm to handle – EU citizens’ personal data.
Despite this, nearly a third said they are not preparing for the incoming
legislation, and 28% said they were ignorant of any preparations their company
might be doing.
So who does the GDPR apply to?
‘Controllers’ and ‘processors’ of data need to abide by the GDPR. A data
controller states how and why personal data is processed, while a processor is
the party doing the actual processing of the data. So the controller could be
any organisation, from a profit-seeking company to a charity or government. A
processor could be an IT firm doing the actual data processing.
Even if controllers and processors are based outside the EU, the GDPR will
still apply to them so long as they’re dealing with data belonging to EU
It’s the controller’s responsibility to ensure their processor abides by
data protection law and processors must themselves abide by rules to maintain
records of their processing activities. If processors are involved in a data
breach, they are far more liable under GDPR than they were under the Data
Protection Act.
When can I process data under the GDPR?
Once the legislation comes into effect, controllers must ensure personal
data is processed lawfully, transparently, and for a specific purpose. Once
that purpose is fulfilled and the data is no longer required, it should be
What do you mean by ‘lawful’?
‘Lawfully’ has a range of alternative meanings, not all of which need
apply. Firstly, it could be lawful if the subject has consented to their data
being processed. Alternatively, lawful can mean to comply with a contract or
legal obligation; to protect an interest that is “essential for the life
of” the subject; if processing the data is in the public interest; or if
doing so is in the controller’s legitimate interest – such as preventing fraud.
At least one of these justifications must apply in order to process data.
How do I get consent under the GDPR?
Consent must be an active, affirmative action by the data subject, rather
than the passive acceptance under some current models that allow for pre-ticked
boxes or opt-outs.
Controllers must keep a record of how and when an individual gave consent,
and that individual may withdraw their consent whenever they want. If your
current model for obtaining consent doesn’t meet these new rules, you’ll have
to bring it up to scratch or stop collecting data under that model when the
GDPR applies in 2018.
What counts as personal data under the GDPR?
The EU has substantially expanded the definition of personal data under the
GDPR. To reflect the types of data organisations now collect about people,
online identifiers such as IP addresses now qualify as personal data. Other
data, like economic, cultural or mental health information, are also considered
personally identifiable information.
Pseudonymised personal data may also be subject to GDPR rules, depending on
how easy or hard it is to identify whose data it is.
Anything that counted as personal data under the Data Protection Act also
qualifies as personal data under the GDPR.
When can people access the data we store on them?
Under the aim of giving people more control over their information, GDPR
ensures people can ask to access their data at “reasonable
intervals”, with controllers having a month to comply with these requests.
Both controllers and processors must make clear how they collect people’s information,
what purposes they use it for, and the ways in which they process the data. The
legislation also says that firms must use plain language to convey these things
clearly and coherently to people: it’s time to wave goodbye to those confusing,
dense terms and conditions.
People have the right to access any information a company holds on them,
and the right to know why that data is being processed, how long it’s stored
for, and who gets to see it. Where possible, data controllers should provide
secure, direct access for people to review what information a controller stores
about them.
They can also ask for that data, if incorrect or incomplete, to be
rectified whenever they want.
What’s the ‘right to be forgotten’?
GDPR makes it clear that people can have their data deleted at any time if
it’s not relevant anymore – i.e. the company storing it no longer needs it for
the purpose they collected it for. If the data was collected under the consent
model, a citizen can withdraw this consent whenever they like. They might do so
because they object to how an organisation is processing their information, or
simply don’t want it collected anymore.
The controller is responsible for telling other organisations (for
instance, Google) to delete any links to copies of that data, as well as the
copies themselves.
What if they want to move their data elsewhere?
Then you have to let them – and swiftly: the legislation means citizens can
expect you to honour such a request within four weeks. Controllers must ensure
people’s data is in an open, common format like CSV, meaning that when it moves
to another provider it can still be read.
What if we suffer a data breach?
It’s your responsibility to inform your data protection authority of any
data breach that risks people’s rights and freedoms within 72 hours of your
organisation becoming aware of it. The UK authority is the Information
Commissioner’s Office. Information commissioner Elizabeth Denham believes the
authority needs more resources to cope with policing GDPR, and responding to
organisations who notify it of breaches. In March 2017, she told the EU Home
Affairs Sub-Committee that more funding was necessary to recruit and retain
skilled people.
That deadline is tight enough to mean that you probably won’t know every
detail of a breach after discovering it. However, your initial contact with
your data protection authority should outline the nature of the data that’s
affected, roughly how many people are impacted, what the consequences could
mean for them, and what measures you’ve already actioned or plan to action in
But even before you call the data protection authority, you should tell the
people affected by the data breach. Those who fail to meet the 72-hour deadline
could face a penalty of up to 2% of their annual worldwide revenue, or €10
million, whichever is higher.
If you don’t follow the basic principles for processing data, such as
having a legal basis for doing so, ignore individuals’ rights over their data,
or transfer data to another country, the fines are even worse. Your data
protection authority could issue a penalty of up to €20 million or 4% of your
global annual turnover, whichever is greater.
If you take recently issued fines issued by the ICO – which can hand out a
maximum penalty of £500,000 – and scale them up under GDPR, you can see how
much tougher the penalties for getting data protection wrong could soon become.
So under GDPR, TalkTalk’s record £400,000 fine would actually total £59
million – that’s a pretty big chunk of the telco’s third quarter 2016 revenue,
which was £435 million. Meanwhile, the ICO’s total issued fines for 2016, which
amounted to £880,500, would become £69 million from 25 May 2018, according to
risk mitigation firm NCC Group – 79 times higher.
However, it’s important to note that while the maximum fines that can be
issued will become much higher under GDPR, the legislation stipulates that they
must remain “proportionate” to the breach. Also, if you can
demonstrate that you work hard to ensure your organisation is compliant with
GDPR, the ICO would likely not issue as high a fine in the event of a breach as
it would otherwise.
But what about Brexit?
Yes, the UK is leaving the EU – but because the UK government only
triggered Article 50 in March 2017, which sets in motion the act of leaving the
EU within a two-year timeframe (though it could take longer), this means  GDPR will take effect before the legal
consequences of the Brexit vote, meaning the UK must still comply.
A new Data Protection Bill, put forward by the UK government in August
2017, essentially replicates the requirements of GDPR into UK legislation,
meaning those compliant with GDPR should be compliant with the new UK data
protection law.
Much like the stipulations of GDPR, the bill sets out sanctions for
non-compliant organisations, permitting the Information Commissioner’s Office
(ICO) to issue fines of up to £17 million, or 4% of global turnover, whichever
is highest (compared to €20 million or 4% of turnover under GDPR).
It also provides provisions for the right to be forgotten, adding the
ability for data subjects to demand social media companies erase any posts they
made during childhood, a good opportunity for embarrassed adults to delete
things they said in their teenage years.
The bill also proposes to modernise current data protection regulations by
expanding the definition of personal data to include IP addresses, internet
cookies, and DNA.
By aligning with GDPR, the UK hopes to build an enhanced data protection
mechanism that goes beyond the adequacy model the EU imposes on ‘third’
countries, allowing personal data to flow freely between the UK and EU.
Digital minister Matt Hancock said: “Bringing EU law into our domestic
law will ensure that we help to prepare the UK for the future after we have
left the EU. We are committed to ensuring that uninterrupted data flows
continue between the UK and the EU and other countries around the world.”
Tech industry bodies took it upon themselves to warn off government
ministers from diverging from the EU’s data protection rules in an open letter
published in February 2018.
The letter responded to ministers’ suggestions that the UK might gain a
commercial advantage from taking a less stringent approach to data protection
than that outlined under GDPR.
“UK tech companies are clear that this is not a view held by the
sector, which sees the UK’s implementation of GDPR as a key pillar to the
future success of the digital economy,” wrote TechUK CEO Julian David,
whose lobby group represents hundreds of UK technology firms, in a letter
addressed to international trade secretary Liam Fox.
David pointed out that with GDPR applying to any organisation processing or
using EU residents’ personal data from 25 May 2018, companies are already busy
preparing for the legislation.
“Disrupting GDPR implementation would not be welcomed by
businesses,” he added. “There is no desire for another wholesale
revision of data protection rules any time soon.”
Apart from explaining that GDPR puts people at the heart of data
protection, David also argued that aligning with the legislation is an
essential step in producing data protection legislation once Britain exits the
The government is already working on a new Data Protection Bill that
effectively replicates GDPR into UK law, and David said such a step is crucial
for the UK’s economic success.
He added: “The tech sector is clear that diverging from EU data
protection post-brexit is neither desirable nor helpful. The GDPR represents a
high standard of protection for citizens’ information, which will help build
trust in the digital economy.”
Is the Investigatory Powers Act compatible with GDPR?
However, what’s unclear is whether other new legislation will be deemed
compatible with GDPR once the UK leaves the EU. For example, under the UK’s
Investigatory Powers Act, ISPs are compelled to collect personal web histories
and hold them for up to 12 months. The government is currently having to
rewrite some of these laws after identical powers in old DRIPA legislation were
found to be illegal.
But Hancock wrote in October 2017 that “UK national security
legislation should not present a significant obstacle to data protection
1482247569779Do we need a data protection officer?
Any public body carrying out data processing needs to employ a data
protection officer, as do companies whose core activities involve data
processing that requires they regularly monitor individuals “on a large
scale”, according to the GDPR legislation, though public bodies are at an
advantage, in that several can share the same data protection officer. Organisations
should give the contact details of this person to their data protection
The data protection officer’s job is to inform and advise the organisation
about meeting GDPR requirements, and monitoring compliance. They’ll also act as
the data protection authority’s primary point of contact, and will be expected
to cooperate with the authority. Read a bit more about the role here.
Alright, so how do we go about meeting the GDPR requirements?
First of all, give this in-depth article a read; it explains exactly how
you can get ready for GDPR.
The best advice is to start preparing for it as early as possible – 25 May
2018 might sound far away, but there’s a lot to get right. Immediately, you
should seek to employ a data protection officer if necessary, and check the
current state of your data protection rules and policies, particularly consent.
Anthony Merry, head of data protection at Sophos, said firms should start
by reviewing the current state of their data protection policies, before
updating them.
See related
GDPR preparation: 2018 data protection changes
How to get ready for GDPR
What is a data protection officer?
“Businesses need to review their data protection policies and
technology to check they are compliant, and should not be shy of reaching out
to their local regulatory body or to a trusted consultant for advice to ensure
they get it right,” he said. “Be proactive and protect the data you
hold, encrypt it and always keep up to date with your security solutions. Data
breaches occur every day – and the EU have just increased the consequences of
inadequate security.”
The issue, however, is how long such a process will take.
Justin Tivey, legal director at law firm Bond Dickinson, said it is crucial
companies start now to get their policies into shape.
“The two-year implementation period may sound relaxed but it will only
be so for those who start to tackle the issues raised by the GDPR now,” he
“Organisations need to start by understanding what data they acquire,
hold and process and the legal basis for that. Privacy needs to be designed
into systems and processes and respect for data subject rights needs to be
stepped up. Policies and procedures for handling any security breaches needs to
be in place. At its heart however, data protection is about the same issues –
understanding what data you hold and why.”
Then work out what procedures you need to adopt, or update, to comply.
Introduce these as quickly as possible so you can start educating your
workforce about them.
If you work with any third-party suppliers who would count as processors,
check what their data protection policies are and whether they comply – if they
don’t, it might be time to tender again.
It’s also worth looking out for technology that will help you meet
requirements around data deletion and data portability.


BACA JUGA:   Cara Mengurangi Opacity video/photo di Vegas Pro

Leave a Reply

Your email address will not be published. Required fields are marked *