Page 92 - AEI Insights 2019 - Vol. 5, Issue 1
P. 92
AEI Insights, Vol 5, Issue 1, 2019
individuals from misappropriation of their personal data for a harvesting, monetisation or
(socio-political) weaponisation purpose.
Namely, the GDPR gives individuals the right to request a transfer of their personal data
(account and history information) from one commercial entity to another (e.g. from one bank
or phone provider to another). Another right is to request – at short notice and for an unspecified
reason – the commercial enterprise to stop both the data collection and the marketing
dissemination, or to demand clarification on a marketing methods and nature of services
provided. This instrument also offers individuals the right to request that their personal data
are deleted (being zipped and sent back to its proprietor beforehand) – as stipulated in art.17
(the right to be forgotten).
The GDPR calls upon all operating entities to hire a data protection officer as to ensure full
compliance with the new rules. It also invites all data collecting entities to conduct impact
assessments – in order to determine scope frequency, outreach and consequences of personal
data harvesting and processing. (For example, if certain entity wished to introduce biometric
authentication for its employees and visitors entering daily its premises, it would need at first
to run an assessment – a study that answers on the necessity and impact of that new system as
well as the exposures it creates and possible risk mitigation measures.)
The GDPR obliges every entity that gathers data to minimise amount and configuration of
personal data they harvest, while maximizing the security of that data. (For instance, if the auto
dealer or travel agency requires potential customers to fill out the form to request a price quote,
the form can ask only for information relevant to the product or services in question.)
The new legislation also mandates data gathering entities to notify the authorities – without
any delay – whenever they suspect or witness a personal data breach. Conclusively, the GDPR
obliges entities to present the public with clean and through information about the personal
data they harvest and process—and clearly why they do so.
On the sanction side, the GDPR supports the regulators with new enforcement tools, including
the norm setting, monitoring of and enforcement of compliance. For a non-compliance, the
instrument prescribes steep fines.
To answer adequately the accountability standards enacted by this EU legislation will certainly
invite large data gathering entities to bear significant investments. However, for the sake of
credibility outreach and efficiency, they will have stimuli to introduce the new procedures and
systems within the EU, but also beyond – wherever their operations are present.
Complementary to it, the GDPR stipulates that if an entity transfers personal data out of the
EU, it must safeguard that the data is handled in the new location the same way like within the
EU. By this simple but far-reaching and effective spill over notion, the standards embodied by
the GDPR will be delivered to the rest of the world. Hence, this instrument is not (only) an
inner code of conduct that brings an outer appeal; it is a self-evolving and self-replicating
standard of behaviour for our common (digital) future.
Twinning: ASEAN, Indo-pacific, Asia
It is obvious that the stipulations of the GDPR would serve well interests of Republic of
Indonesia (RI). That is actually in line with a very spirit of the 1945 Constitution, which obliges
the state to protect, educate and prosper the Indonesian people. This supreme state act clearly
proclaims that the respecting individual personal data is resting upon the two principles of the
Pancasila. Namely these of; Fair and Civilized Humanity. Mutual grant and observance of
everyone’s elementary rights is an essence of freedom and overall advancement of society.
92
