The General Data Protection Regulation (GDPR) is a regulation on data protection and privacy for all individuals within the European Union (EU) and addresses the export of personal data outside the EU.
A strong data protection framework is necessary to build transparency and trust in the digital economy. Rapid technological advancement has enabled private businesses and public authorities to collect, process and store personal data on an unprecedented scale. This has also increased the cross-border flow of personal data. Inadequate protection of personal data increases the risk of identity theft and fraud that may lead to financial loss, damage to reputation or even physical damage. Personal information used in profiling may lead to discrimination based on racial or ethnic origin, political affiliations, religious beliefs, genetic and health record.
Protection of personal data is a fundamental right in EU. GDPR aims to ensure that people have control of their own data. It also aims to simplify the regulatory environment through a consistent set of rules to facilitate free flow of data within the EU and other countries while ensuring a high level of protection of personal data.
"Under GDPR, individuals have several rights. First and foremost is the right to be informed about the purpose and use of personal data at the time of data collection. This includes disclosures regarding sharing of personal data with other recipients whether data is directly obtained from individuals or obtained from other sources. Individuals have the right of access to their personal data free of charge and the right to have inaccurate personal data rectified. The right to erasure (also known as the ‘right to be forgotten’) provides individuals the right to withdraw consent and request erasure of their personal data. Moreover, individuals have the right to obtain restriction on processing of personal data to contest accuracy or for legal claims. Right to data portability confers individuals the right to obtain their personal data (previously shared with data controllers) in a structured, machine readable format which can be transferred to other providers. Additionally, individuals have the right to object to processing of personal data for direct marketing, scientific or historical research and profiling for automated decision making," said Saurabh Banerjee – Sr. Specialist, Sapient Consulting.
New obligations under the GDPR which will apply to organizations:
GDPR affects all businesses established in the EU as well as businesses established outside of EU that offer goods or services to people in the EU.
"Organizations (data controllers) are accountable and responsible for complying with GDPR and must be able to demonstrate compliance through appropriate technical and organizational measures. Measures should be based on the core principles of data protection by design and data protection by default. Data protection should be a key consideration for designing and developing applications, products or services that require the use of personal data," he added.
Obligations include having formal contracts with data processors for protection of personal data, conducting information audits and maintaining documentation of processing activities, performing impact assessments to minimize data protection risks, appointing data protection officers and reporting data breaches to supervisory authority and impacted individuals.
Effects of GDPR on the use of AI in the enterprise space
Under GDPR, individuals have the right not to be subject to a decision through automated processing that uses personal data to analyses or predict aspects concerning economic situation, performance at work, health, personal preferences or interests, reliability or behavior, location or movements, where it produces legal effects such as automatic refusal of an online credit application or e-recruiting practices without any human intervention. Individuals have the right to obtain an explanation of the decision reached after such assessment and to challenge the decision.
“Machine learning algorithms learn from large amounts of historical data. Quality of the historical data can introduce bias in a model. Additionally, algorithms may inadvertently use variables that can serve as a proxy for personal attributes. For example, algorithms may exclude geographical localities with a large concentration of ethnic minorities. Similarly, models may be biased against people who do not have an online presence or can infer health condition based on shopping data related to medicines or food habits.
Appropriate quality assurance measures must be taken to ensure that there is adequate oversight and accountability in data science projects. Any inaccuracies in personal data should be corrected prior to use. Measures must be taken to ensure that there is no unintended bias or discriminatory effect on decision making. Organizations should also exercise caution when relying on algorithmic decisions that cannot be explained in a human understandable manner,” he said.
Key takeaways For the Indian Government when formulating a comparable Data Protection in India
According to Banerjee, GDPR lays down the fundamental principles and ground rules that puts people in control of their own data in a manner that is visionary in its objective and yet practical and legally enforceable. This should be a key takeaway for the Indian government when formulating a comparable data protection framework in India.
GDPR has made it abundantly clear that personal data is owned by individuals and any organization that gathers and processes people’s personal data is obligated to obtain necessary consents and keep the data secure. Protection of personal data should be at the core of data strategy for all businesses and data security should not be an afterthought. Forward thinking Indian businesses would do well to adopt the core principles and guidelines of GDPR irrespective of their legal applicability for India facing operations.
“Personal data protection should be a huge concern in India given the size of its population and government’s push towards a digital India. India offers a lucrative market for multinational corporations such as Facebook, Amazon, Uber and others. With GDPR, the war for control of data has just begun and is expected to heat up in the coming years. It might be prudent for Indian authorities to consider early legislations that restricts trans-border movement of personal data of Indian residents outside of India. This can provide lot of leverage to India in international trade agreements," he further added.
Various studies have indicated that people are more willing to consume online services and share data if they can trust their service providers. A modern regulatory framework that protects personal data is necessary for building people’s trust in digital India. A digital economy can quickly expand markets by providing new opportunities for entrepreneurs who can offer more choice for consumers and generate new sources of employment.
The white paper released by the committee of experts on data protection framework for India has acknowledged the need for a strong data protection legislation. It has also noted that in an increasingly inter connected world, it would be naive if the framework is not aligned with international practices.
Several countries in Asia, Latin America and Africa, are reforming their data protection legislation to enable local businesses in these countries participate in the global digital economy. A modern GDPR-like data protection legislation in India will serve as a basis for international adequacy agreements and closer cooperation with data protection supervisory authorities in different countries to exchange information and carry out investigations collaborating with international counterparts. This will enable Indian companies to do business with major developed economies such as EU, US and Japan without having to jump through regulatory hurdles.
Saurabh Banerjee concluded by saying that GDPR is a landmark regulation that will strengthen consumer trust in the digital economy. It is a great template to follow for all countries aspiring to develop a sustainable digital economy that can benefit from seamless flow of data to enable digital commerce while protecting people’s personal data.