The General Data Protection Regulation is a European Union privacy law that comes into effect on May 25, 2018. It has been years in the making, and is to replace the last major piece of EU privacy law which dates from 1995: a time when Geocities was popular, before Facebook, before Myspace, before even Google.
A lot has changed in how the internet is used for business and the role data and data-sharing has in our lives, so it’s about time the law was updated.
GDPR updates privacy law to account for more recent technical developments and how we use them. It increases restrictions on what organisations can do with your data, and it extends the rights of individuals to access and control data about them. This is a good thing. It also extends in some cases these restrictions and safeguards on what can and cannot be done with your personal data to organisations based outside the European Union if they handle data collected within it. Somewhat controversial, this is also a good thing.
Key elements of the GDPR
The GDPR requires organisations handling personal data to do so according to its six data processing principles, namely that:
a) it is processed fairly, lawfully and transparently
b) it is collected and processed for specific reasons and stored for specific periods of time, and that it is not used for reasons beyond its original purpose
c) only the data necessary for the purpose it is intended is collected, and not more
d) it is accurate and that reasonable steps are taken to ensure it remains accurate
e) it is kept in a form that allows individuals to be identified only as long as is necessary
f) it is kept securely and protected from unlawful access, accidental loss or damage
From these principles, GDPR requires organisations collecting, using and storing personal data to define a lawful basis that the organisation will use to explain its use of personal data. These are, for example, that they have the individual’s consent, or that they need to do so in order to provide a product or service the individual has asked for, or that they are legally obliged to do. Every bit of personal data held by an organisation must be justified according to one of the six lawful bases.
This is why you have probably been receiving many emails from organisations asking you to confirm that you wish to continue to receive their emails – they are seeking your consent as a lawful basis for using your data.
Your privacy rights
The GDPR also defines the rights that individuals have to access and control their data:
When they are collecting data from you, organisations must properly inform you what data they are collecting, what they are using for, how long they are keeping it and which organisations it is being shared with.
You have the right to contact an organisation and ask them to provide the data they hold on you. This includes the data they hold, why they hold it, and what they are doing with it, including which organisations it is shared with.
You have the right to ensure that information about you is correct, and to ensure that information is corrected if found to be inaccurate.
Also known as the “right to be forgotten”, this means you have the right to demand that information a company holds about you is deleted, in part or entirely. This is not an absolute right, and in some circumstances this request can be refused.
You have the right to deny consent for an organisation to process your data, even if you have given consent for it to do so in the past. This right also is not absolute and can in some circumstances be refused. But an organisation must be able to show you what it is doing with your data so you can decide to restrict processing if you wish.
This right gives you the opportunity to take the data an organisation holds on you and extract it for use elsewhere. A good example are the features that Facebook or Google offers that allow you to download the profile information accumulated on the service. This is to promote competition, so that users are not forcibly tied to an uncompetitive service due to the weight of accumulated data.
This allows you to demand that organisations stop using your data in ways you object to. For example, sending direct marketing, or making nuisance commercial phone calls.
Finally, with the growth in profiling and the use of data to make automated, from targeted advertising or content to credit decisions or job applications, this provides individuals with the right to object to or appeal against automated decisions that affect them. This is particularly the case where decisions have serious legal consequences or similar. All such processing requires the explicit, informed consent of the individual.
Taken together, these principles and rights make the GDPR the world’s most powerful and far-reaching privacy law. Because so much business is now very international, the effect will be that companies outside the EU will conform to GDPR privacy standards in order to access European markets of 500m wealthy consumers.
Following years of data breaches and hacks and scandals about government and corporate intrusion into our private lives, if the GDPR improves the strength of privacy rights across the world, well, this is definitely a good thing.
Michael Parker, Membership Editor, The Conversation