With the GDPR, the balance of power between businesses and the public is made more equal. It ensures that there is clear transparency for people to know what is happening to their data. Not only can people now know exactly what is happening with their personal information, but they can decide exactly what happens to it. There are more details in the section below, but essentially, more control over one’s personal data = good.
Harmonisation and Standards
The GDPR harmonises the data protection laws and regulations across the EU Member States to ensure that all individuals enjoy an adequate degree of protection. Every country has slightly different privacy protections and laws, however, it ensures that the same law applies to every EU country. This will make it easier for businesses and organisations, as instead of dealing with several different laws and policies, they only need to cooperate with one supervisory authority.
Security is an integral part of the GDPR, thus now obliges companies to work data protection into their products. Privacy needs to be embedded into the design, and companies are to take a proactive approach to protecting personal data.
Every business is now held to the same standard when it comes to personal data. The big companies can be all shady and trade the data with each other, but the fines associated with that kind of behaviour are now going to be much larger.
Limitation Policies
There are many limitations and actions which must be adhered to under the GDPR. Yes, this is a pain for small businesses to do, but as a data subject, business owners should be supportive of measures that will help to ensure that their personal data is protected.
Purpose Limitation
Personal data to be collected only for specified, explicit, and legitimate purposes. The data cannot be used for any other purpose than what it was obtained for.
Storage Limitation
Data is to be kept for no longer than is necessary for the purposes of processing. The data cannot be kept indefinitely, and should have an explicit “shelf-life.”
Data Minimisation Limitation
Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes in which they are processed. The data cannot be used for purposes outside its intended scope.
Accuracy Limitation
Personal data that is inaccurate must be rectified or deleted as soon as possible.
Integrity and Confidentiality Limitation
Ensure personal data is properly secured, such as encryption, authentication and authorisation mechanisms.
Principle of Accountability
Data controllers need to show compliance with the GDPR. As explained here, there needs to be a documented record of compliance.
As an EU citizen, your data is yours to control.
Rights of EU Citizens
The EU is an institution that has 28 Member-States (never mind Brexit), that collectively have 500 million people. EU laws supersede national laws, but no laws get passed without the consent of the national governments of each country. The GDPR affords the citizens of the European Union with many new rights about their personal data.
Right of Access:
Data subjects have the right to access from data controllers information about their data, and be informed about:
- The purpose of their data processing
- Categories of their personal data
- Recipients of their personal data
- Storage period of their personal data
Right of Complaint
Data subjects have the right to lodge a complaint to a supervisory authority, if they feel that their personal data has not been properly managed, or unlawfully used
Right of Rectification
Data subjects have the right to modify their data without any undue delay
Right to Object
Data subjects have the right to object to the processing of their data, thus preventing the data controller from further processing their personal data
Right to Restriction of Processing
Data subjects can restrict the processing of their personal data if the accuracy is contested, the processing is unlawful, or the personal data is no longer needed by the data controller
Right to Erasure (Be Forgotten)
Data subjects can get their personal data erased with no undue delay from the data processor or controller
Right to Data Portability
Data subjects have the right to get their data in a clear and readable format transferred over to other data processors when requested, or to themselves
Right of non-Automation
Data subject have the right to not be subjected to automated individual decision making, which includes automatic profiling
Right to be Represented
Data subjects have the right to be represented by various organisations who will represent them in cases when a complaint is made to a supervisory authority
Right to Compensation
Data subjects have the right to compensation if their personal data is unlawfully managed by data controllers or data processors
Right of Notification
Data subjects have the right to be notified in the event of a security breach within 72 hours of the incident occurring
It should be noted that there are exceptions to all of the above, in cases off law enforcement for example, or if it interferes with the exercise of the right of freedom of expression and information, or if there is authorisation by the EU or Member-State, or if it is in the public interest, and several other exceptions. However, explaining all that would make this series much longer than it already is, and is not relevant to business owners. Suffice to say that these exceptions would not apply to small businesses, so they are not a reason to not become compliant. See here for more details on being compliant
Personal Control
The GDPR gives EU citizens more control over their personal data. While the potential fines for non-compliance are very high, it is not as if the EU is going to go to a small plumbing company, see that they have shared some contact information of their customers, and fine them 4% of their profit on the spot. Actual enforcement remains to be seen, but large companies have been mismanaging personal data for years, or not taking good enough care of it.
Earlier this year Carphone Warehouse was fined £400,000 because they failed to put in place the proper security measures to withstand a cyber-attack. With the GDPR, intention and negligence are taken into account, should a company be investigated. The EU wants to ensure that there is a consistent privacy policy across its jurisdiction, which can only benefit its citizens.
With the new regulation, people don’t just have the right to know exactly what is being done with their data, but they also have the right to modify the data, change how it’s used, and even have the option to delete it entirely. While many businesses are panicking because they feel like they need to become strictly compliant by 25 May 2018, people need to look at the bigger picture and realise why all this is happening. More control over personal data is a positive development in international law. Despite the hassle of updating privacy policies and following new codes of conduct, it is essential to have adequate privacy protections in place.