You’ve probably heard a lot about GDPR – or the General Data Protection Regulation – this year. It’s a new Europe-wide law that came into effect on May 25th with the intention of further safeguarding people’s data online.
On the surface, it stops companies from using your data without your knowledge or permission – but in reality it goes a lot further than that and gives ordinary citizens a lot of new rights.
In this brief guide, we will outline the principles of GDPR and how they affect each of us as consumers.
Why did we need GDPR?
Although many European countries already had strong data protection rules in place before GDPR, this law is meant to unify regulations for all member states.
Nevertheless, each country has its own regulator and some countries have additional, more stringent regulations. The UK, for example, affords additional protection to children under the age of 16, requiring parental permission before collecting data on a user (whereas the European standard is currently children of 13 years old and under).
Companies that break the rules are now subject to some hefty fines. Serious offenders will have to pay up to 4% of their global annual revenue, or pay up to 20 million euros.
Why is it a good thing for consumers?
GDPR gives us a fresh start. We can now easily opt out of emails we don’t want, say goodbye to old subscriptions, and stop companies from using our data without our knowledge.
It’s a way of bringing some order to the internet and to control the companies processing and using our data. It also levels the playing field in Europe, ensuring that companies are treating our data legally and with permission.
Who is responsible for your data?
Under GDPR there are two types of entities responsible for keeping your data safe:
Data controllers have a number of big responsibilities when it comes to collecting data. They are the decision-makers who say what data is collected from you, how they keep it and what they do with it.
Data processors are just as important – they are the people (or companies) that store and manage data for data controllers. They are the platforms, mailing lists, and software companies that facilitate the work data controllers.
What are your rights under GDPR?
1. Right to be informed
Thanks to GDPR, you now have the right to ask a company what data they have on you. Not only should they freely tell you everything they have, but they should do so in a way that’s easy to understand.
2. Right to access your data
It’s also your right to access your personal data, find out why it is being used and how it is being used. For an example, Facebook now allows you to download your entire history with the platform. This includes message histories, photographs and even phone numbers of contacts who don’t use the platform.
3. Right to correct mistakes
You have every right to contact a company and ask them to rectify any mistakes they have – and a company must comply.
4. Right to restrict data processing
You can also ask a company to stop using your data until they have corrected those mistakes.
5. Right to delete your data
You also have the right to erasure – that is to ask companies to delete data they hold on you. You can do this when the company no longer needs it (it has become irrelevant), if you no longer consent to the company using it, or if the data was gathered illegally.
However, there are some instances when it is not possible to delete your data. For example when a company needs it to complete a service for you, or when there is a legal reason to keep it.
6. Right to object to data processing
7. Right to reject automated decision-making
When it comes to data-based decisions, you have the right to tell a company that you don’t want a machine to process your information. This is true unless you authorize a company to process it automatically, it is needed to fulfil a contract condition, or a specific country regulator allows for it.
8. Right to data portability
You can also ask to move your data from one place to another. Companies are obligated to make it easy for you to repurpose your data. For example, you should be able to transfer your personal data from one platform to another.
Overall, GDPR is a step towards greater transparency and responsibility online. Now that companies are forced to think about data security, access and accountability, we are going to be intruded upon less – especially in the private spaces of our inboxes and social media accounts. It will also force us as individuals and consumers to be more aware of what information we are sharing and with whom – and that can only be a good thing.