May 25th, 2018 marks the victory of data protection laws and consumer privacy. It’s the day Europe’s General Data Protection Regulation came into being.
You might know it as GDPR, and I’m here to tell you all about it.
GDPR – the basics
GDPR stands for General Data Protection Regulation, and it encompasses a long list of regulations for the handling of consumer data.
The GDPR was Europe’s attempt to unify data privacy laws across different countries, with the most significant changes behind the scenes.
You can check out the full GDPR text here.
Its goal is to help align existing data protection regulations while increasing individuals’ levels of protection. GDPR enforced stricter rules on data protection, and this translated into people having more control over their personal information and businesses benefiting from a level playing field.
This regulation has replaced previous data protection rules across Europe. Some of them were outdated, being first drafted in the 1990s before the world wide web offered many online services and options. A change was needed because, as people routinely shared their personal information online, local privacy regulations were relatively powerless in the grand scheme of things.
GDPR sets rules for how companies can use collected data, so many have had to rethink their approach to tech stacks, analytics, and, of course, advertising.
But how does this translate for your privacy?
As a user, you can thank GDPR for the notifications you get if your personally identifiable information (PII) has been revealed in a data breach.
Your PII includes:
- Identity information such as name, address, and ID numbers
- Web data such as location, IP address, cookie data
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political beliefs
- Sexual orientation
Now, let’s take a closer look at your rights.
The right to be forgotten
This is the right individuals have to request that their personal information be deleted from the internet. You might know also know it as the right to erasure.
In the EU, anyone can request an organization invoking the right to be forgotten; then, the recipient has one month to respond. If the request is approved, all results using the person’s name can no longer appear within the EU countries.
However, refuse is also possible on the grounds of legal necessity and public interest.
Behind the curtains, the right to be forgotten highlights the need for a traceable mechanism to ensure that deleted data is also removed from any backups.
The right to data portability
As its name suggests, you have the right to move your data from one company to another.
You can request a company a copy of your personal information and data at any time. You can even ask them to send your data to another organization, even if it’s a competitor.
Also, companies need to convert this data into a machine-readable format to make portability smoother and faster.
The right to be informed
Data breaches are the worst, but you’re limited in what you can do to prevent them as a consumer.
However, thanks to GDPR, companies must notify you if your private information is ever breached or disclosed.
While this might be peanuts when your privacy has been invaded, at least it gives you the opportunity to increase your protection, change your passwords, and delete any of your obsolete accounts.
The right of access
The right of access allows you to know:
- How the information you give to companies is processed and stored
- Where, for what purpose, and for how long companies keep your information
As a result, companies must state how they handle your details. This might include purchase and order records, account details, and other bits needed to offer you their services. Organizations can also keep records for auditing purposes, as long as this is clearly documented.
All in all, the right to access forces companies to pay extra care in handling your data and puts an end to using it without your consent, including selling it to advertising companies.
The right to rectification
You also have the right to ask a company or organization to rectify or delete your personal information. This includes instances where you change your name, gender, address, or payment details.
However, some things cannot be deleted. Their list includes data needed:
- To offer you the online services you signed up for,
- For reasons of public interest,
- For the exercise or defense of legal claims,
- For archiving purposes, according to local regulations.
How to know if a company is GDPR compliant
The key here is transparency. Any GDPR-compliant company needs to make highlight what data they collect from you, what’s the purpose, and most importantly, you need to give explicit consent.
As a result, organizations need to focus on their website and their service.
What’s more, companies need to have straightforward contact procedures.
Moving on to the service, the terms of service need to be clear, as do the terms of consent. GDPR requires companies to design their systems with the proper security protocols in place, so now’s the perfect time to get familiar with the Privacy by Design principles.
Lastly, there’s the matter of how a company handles children’s data.
According to GDPR, users need to be at least 16 years old to have their data processed. However, individual member states can set their age limit to match local legislation.
Additionally, GDPR stipulates that children have to be at least 13 years old to have the right to sign up for digital services.
GDPR – a success story
So, how has GDPR changed data protection for European citizens?
Well, the European Commission doesn’t shy away from showcasing the benefits of GDPR. According to them:
- 4.3 million citizens and businesses consulted the European Commission’s GDPR portal in the past two years.
- 69% of the EU’s citizens over the age of 16 have heard about GDPR.
- 71% of people in the EU have heard about their national data protection authority.
- Individuals lodged 275,000 complaints about data protection breaches to national data protection authorities between May 2018 and November 2019.
Although GDPR is far from being perfect, its enforcement seems to be sending a strong message to companies across the globe.
One of the most critical elements of the GDPR has been regulators’ ability to hit non-compliant businesses with huge fines.
One of the most significant fines under GDPR to date has been against Google. The French data protection regulator, the National Data Protection Commission (CNIL), fined the company €50 million. CNIL said the fine was issued for two main reasons. First, Google did not provide enough information to users about how it uses the data that it got from 20 different services. And also, Google did not get proper consent for processing user data.
However, some people are not convinced that €50 million is enough to make a dent in Google’s finances.
Whether fines will be enough to make companies more responsible about data protection remains to be seen.
But how do you feel about GDPR? Do you trust companies more now that they’re forced to handle your information with care? Let me know in the comments below.
Until next time, stay safe and secure!