Blog | 10th Feb 2018

10th Feb 2018

Impact of consumer protection regulations like gdpr 2018 on businesses

Europe is implementing the toughest consumer protection laws, starting 25 May 2018, a few months from now. India is expected to follow soon this year. Consumers will have rights that require big shifts in how consumer data is stored, targeted or traded. For example, Consumers have the right to be forgotten. The controller of data should have implemented processes which can comply with such requests. Such regulations bring back the focus on Publishers of content.


These below points are to summarize the working of Consumer protection laws :

  1. The primary idea of GDPR is to have a free flow of user data and protecting the rights of the user.
  2. There are three actors in GDPR system: Controller, Processor and Supervisor. Lead Supervisor is appointed by the Govt.
  3. The user (natural person) has the following rights:
    1. All the processing information should be accessible to the user.
    2. The user should be aware of the identity of controller and the purpose of him acquiring the data.
    3. The user has the right to get his profile deleted.
    4. User needs to be able to follow-up on this request of the above.
    5. The user can register complaint in court of his city/region or the controller city/region
  4. Till the data can be used to identify the user the regulations apply. This makes the process of pseudonymisation a very important part of the ecosystem.
  5. It is ok to track and profile a user with cookie and other digital generated post adequate consent.
  6. Consent has to be explained in simple English, explicit gained and all the purposes to acquire, retain and processing of the data needs to be captured. This makes a risk assessment of the data being collected a mandatory task.
  7. The Controller, by design, owns the data and hence becomes liable to protect the user rights. The authority/responsibility of the Controller includes erasure of data, data portability, take decisions based on profiling and communication of the breach of data to the user.
  8. The Supervisory authority(SA), by design, ensures that the regulation is been adhered to by the Controllers and Processors.
  9. A data breach needs to be reported to Supervisory Authority.
  10. The Controller should acquire data attributes that will fulfil the purpose. He needs to keep a minimalistic perspective on data achieving.
  11. The controller needs to keep a track of the user data since he will be exposed to the user. After all, he is responsible to protect the uses rights.
  12. The Processor, by design, processes the data by adding attributes and creating new attributes. This also includes attributes based on aggregation etc.
  13. Children will merit extra protection for their data being used.
  14. The Controllers and Processors need to coordinate within themselves to implement the regulations.
  15. The flow of data should be S2S. There goes the problem of walled garden.
  16. The SA will monitor data breach notifications and intervene when necessary.
  17. In case a Controller or Processor need to consult SA for review, consultation to keep the safeguards oiled up.
  18. Controllers and Processors need to deploy a Data Protection Officer who will represent data processes and compliances.
  19. Supervisory Authority need to engage courts in case of legal remedy needs to obtained.
  20. SA can impose administrative fines and other penalties. Controller and/or Processor can challenge the decision in the court if they feel biased etc.
  21. Biz entities need to cover themselves from legal aspects at all times.
  22. SA, Controllers and Processors need to give mechanisms to conduct reviews and audits.

Clear protection data regulations does away with Privacy related guideline speculations and enable us to acquire scale that was never possible.