The General Data Protection Regulation is a European Union privacy law that was implemented starting May 25, 2018.
It was a lengthy process to craft the sweeping legislation as it not only replaces the old data protections, which had been in place prior to the epic rise of global Internet companies such as Facebook and Google, but also looks to place limitations on the power with which these companies can wield over an individual’s personal data on the web. With the increased popularity of these social media platforms and on-going widespread data breaches, it became clear that a new and improved privacy law was needed in order to protect EU citizens from data theft.
The new regulation outlines the main responsibilities for companies, in order to ensure that private individuals’ data is processed transparently and only for the specific purposes for which they hold the data.
GDPR also works to unite all the regulations related to data privacy, thus ensuring a smoother international business process.
You might wonder what are the key provisions of GDPR that affect you. Well, it’s rather easy and it all comes down to six data processing principles:
- The data needs to be processed fairly, lawfully and transparently;
- The data needs to be collected and processed for specific reasons and stored for specific periods of time, and that it is not used for reasons beyond its original purpose;
- You are allowed to collect only the data necessary for the purpose it is intended, and not more;
- The data is accurate and you have to make sure it remains that way;
- The data needs to be kept in such a manner so that individuals are identified for as long as it is necessary;
- The data needs to be kept secured and protected from potential data thefts.
Two tangible ways these principles apply can be explained through the following: Companies that use Personal Information must be able to explain the use of such data; and Companies must either have the explicit consent of the individual to collect and keep their Personal Information, or the Personal Information must play an essential role in the business service provided by the company
One other major issue that GDPR has brought to the table is that of User’s Privacy Rights. What this means is that individuals have the right to access and control what happens with their personal information.
Here is a summary of the User’s Privacy Rights:
- The right to be informed. The user needs to be informed clearly about what data is collected, what it will be used for and for how long it will be kept. Also, if you have to share that info with another company, the user needs to be informed.
- The right of access. The user can access their data at any time as well as having the right to ask you as an organization which data you hold about them, where it is strored and if it’s shared and with whom.
- The right to rectification. The user can correct the data held about them.
- The right to erasure. Better known as the “right to be forgotten”, this means that the user can ask you to delete in part or entirely the data you have about them.
- The right to restrict processing. The user can revoke consent, even if they have given it in past. In order to make an informed decision, the company which processes your data needs to show you what they do with it.
- The right to data portability. The user can extract the data held on them and use them elsewhere.
- The right to object. The user can, at any time, demand an organization to stop using their data in a way which they do not agree to. Direct marketing is an example of such use.
- Rights in relation to automated decision making and profiling. The user needs to give their consent for their data to be processed, for targeted advertising for instance.