Back in the GDPR: Your Digital Rights Are About to Get a Lot Stronger
Chances are you don’t feel in control of your data. With news of data sharing, tech companies overstepping their boundaries and, in some cases, neglecting their security responsibilities, it’s easy to feel that the individual is way down the list regarding their priorities.
However, in the EU, this will improve once GDPR — General Data Protection Regulation — comes into effect on May 25th. Most likely, if you’ve already heard about it, it will have been in the context of how it affects businesses, yet its main purpose is to help individuals gain greater autonomy over their data and digital footprint.
By strengthening your rights, it doesn’t just affect how you use services in your spare time but how employers process your data for payroll, HR, and other similar functions.
In short, GDPR will give you these rights:
- Companies require your explicit consent before signing you up for a service.
- Terms and conditions must be written in plain, clear language that anyone can understand.
- You can control what data of yours is used and stop companies from using it easily.
- You can restrict, modify, or remove data from a service if requested.
- You can request a copy of all the data a company has on you and they must provide it within 30 days in a format that can be transferred.
- You can be sure that your data is being protected and used responsibly.
Companies won’t adopt GDPR just because it’s mandatory; they’ll adopt it because it will mean the difference between losing customers and keeping them. Expect a greater focus on customer satisfaction as they meet their legal obligations.
Consent is key
You can say goodbye to long terms and conditions forms filled to the brim with legal jargon, having to untick boxes subscribing you to newsletters, or finding that your email is now on different mailing lists.
This will be gone under the new regulations. Instead, companies must clearly state what data they require and why they need it. This information must be written in plain language.
It should also be transparent and easily accessible; these terms can’t be buried away on a page that’s difficult to find.
If a service introduces a new request that wasn’t already agreed to — such as an app update which now uses location data — it must tell you this and ask for your permission before activating it. Similarly, you must also be allowed to withdraw consent, and it should be as easy as giving it.
There are some exceptions to the rule, such as in the case of law enforcement, but for the most part, the general theme will be ‘opt-in’ instead of ‘opt-out’.
The right to be forgotten and correct mistakes
Sometimes called the ‘right to erasure’, this means you can request a company to remove your personal data if you want them to stop using it. In some cases, this may mean data that wasn’t lawfully obtained, it’s no longer relevant to the purpose it’s used for, or there’s no reason for it to be processed.
On a related note, you can also request your data to be changed or updated if inaccurate information is used; companies will likely have a verification process to ensure only you can change it. If your data is shared with other services, then the company in question must inform them about the change.
Companies must also state how long they’re going to keep your data for. How long this period is will depend on the data, what it’s used for, and the company in question, but it can’t be kept indefinitely. Once the time limit is up, the company must dispose of it.
If you wish you have the right to request a copy of all the data a company has on you. From the moment you make the request, the company in question has 30 days — that include weekend days and not just working days — to fulfill your request.
The copy should be in a commonly used, structured format that can be transferred to other services. To give an example, they should send it in a general file format like CSV which means any Excel-type program can open and read it.
Companies do have the option of extending this deadline by up to two months, but must have good reason to do so like it’s trying to fulfill a large number of requests or the request is more complex than anticipated. If they do, they must notify you and explain the reasons for the extension.
GDPR doesn’t just concern how your data is used; it also takes into account how it’s protected. The regulations require companies to take reasonable precautions to ensure your data is safe so things like encryption, pseudonymization, anonymization, and privacy controls must be implemented by the company.
If it does become the victim of a data breach, it must notify the relevant data protection authority – and the individuals affected if it poses a high risk to them – within 72 hours of discovering it. The exception to this is if the data leaked doesn’t pose a risk (i.e., it’s encrypted and therefore unreadable to those without authorization).