Everything you need to know about GDPR. Whether it is about your fitness app, doing online shopping, applying for a credit card or just sending your Résumé around, the highly anticipated European legislation, called GDPR, will bring changes that you need to be aware of.
What is GDPR?
The General Data Protection Regulation (GDPR) is a European Union legislation framework that will come into force on May 25th. It aims to offer users more control over their personal data and, in the same time, to update and harmonize existing legislation in this area for all the 28 member states of the EU (UK included).
As opposed to other European types of legislation – such as directives, regulations become immediately enforceable as law in all member states simultaneously, without the need of being debated by national Parliaments.
What is personal data?
According to the EU, personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
Who is affected by GDPR?
GDPR mostly concerns the rights of customers located in the European Union, but also companies that operate inside the EU, and whose activities involve collecting, processing, or storing personal data.
However, even if you don’t live in one of the 28 member states of the European Union (UK included), the GDPR might soon bring some changes for you too. This legislation is bound to set new, global standards of giving consumers more effective control over their data which, most likely, will be replicated in similar forms elsewhere on the planet. It will influence the way in which local and national authorities, and big companies like Apple, Facebook, Google or Amazon will handle issues like privacy and data protection globally.
What companies will have to do for you in order to comply with GDPR
According to the new EU legislation, companies will have to use plain language, and let you know exactly who they are when they request your data, why they are processing it, how long will it be stored, and who will get your information.
Businesses will also have to obtain your clear consent to process your data, and children under 16 will need parental approval in some cases. And by the way, if they grant it, they are also able to withdraw it. So, whenever your consent is needed, and it will be needed most of the time, the terms will have to be posted clearly and, more importantly, in a way that will allow users to actually read them.
They will have to easily allow you to access your data or even transfer it to another company or provider. For example, you are a member of an online social media network. You decide that a new rival social media network is better suited to your aims and age-group. You can ask your current online social media network to transfer your personal data, including your photos, to the new social media network.
Companies will have to give you the right to be forgotten, which means that you can contact any company’s data protection officer – some businesses may find more fancier names for them – and ask to delete all your irrelevant data. It is your data, and you alone own it – BUT only if it doesn’t compromise freedom of expression, or the ability to research. So, it will be complicated…
Companies will have to give you the right to opt out from direct marketing messages that are using your data. Companies must collect, process or store your personal information for the purpose they were collected, and for the purpose which you consented for/to. If that purpose no longer exists, or if the information provided by you is no longer correct or true, that information must be deleted.
Of course, the grass is not always greener, as companies also have the freedom to, visibly, set their own rules – modeled on this piece of legislation, so if you refuse to give consent for some data, you may see your ability to operate on certain websites reduced. But you will be able, on the other hand, to at least ask companies to stop bombarding you with ads on email if you were, let’s say, a one-time buyer of tickets for some concert that you wanted to attend ten years ago.
What happens if a company doesn’t comply to GDPR?
It’s useful to know that any data breach will have to be announced in under 72 hours, and all companies will have to alert their users and customers. The fines, for the cases of noncompliance, are quite serious, as they can reach either 20 million Euros, or 4% of the company’s global revenue, whichever is higher, and that, for companies like Google or Amazon, to name just two, means billions! For smaller companies, it might mean the end.
How to exercise your rights in the framework of GDPR
According to the EU, to exercise your rights you should contact the company or organisation processing your personal data, also known as the controller. If the company/organisation has a Data Protection Officer (DPO) you may address your request at the DPO. The company must respond to your requests without undue delay and at the latest within 1 month. If the company/organisation doesn’t intend to comply with your request they must state the reason why. You may be asked to provide information to confirm your identity (such as, clicking a verification link, entering a username or password) in order to exercise your rights.
These rights apply across the EU, regardless of where the data is processed and where the company is established. These rights also apply when you buy goods and services from non-EU companies operating in the EU.
So, changes, big and small, are on the way, and we would love to hear from you if and how you were affected by GDPR, and how companies complied with their new obligations in your particular case.