ZÜRICH – During the past month, I’ve received notifications from dozens of websites asking me to read and agree to their updated privacy rules or to reconfirm my subscription to their email notifications. You probably have as well, even if you live outside of the European Union. It’s all thanks to the newly introduced General Data Protection Regulations, or GDPR.
While the idea behind these changes moves the EU far ahead of other countries, the logistics of implementation have been cumbersome for users. I attempted to read the first few revised terms and conditions I received, but by the 20th one, I gave up. This means that instead of understanding how my data will be used, I put my trust in EU legislators and the websites to which I’m reconfirming to have done the right thing.
As such, it would probably help to understand more of the details behind the GDPR.
An overview of the GDPR
On May 25, new data-privacy laws took effect in Europe, replacing the previous mandate passed in 1995. The European Union already led the world in data-privacy protections, but the new measures take online privacy a step further.
While the Data Protection Directive of 1995 had already laid out a fairly strict set of regulations of when, why, how and for what purpose companies could use personal data, the GDPR extends that scope to include all companies that process the personal data of users residing in the EU, regardless of where the company is located.
Now, the GDPR aims “… to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established,” according to the GDPR Portal.
There are six key changes that increase the rights of data subjects:
- Breach Notification: Companies must notify citizens of a breach of data within 72 hours of becoming aware of the breach.
- Right to Access: The right to ask if a company is processing your data and how. When you ask them, companies must provide – for free – a copy of the personal data they have on you.
- Data Portability: An extension of Right to Access, you can give the electronic copy of the data that a company possesses on you to other companies. On first glance, the reasons to transmit your data to more companies may seem few, however, Data portability should (in theory) allow you to monetize your data by selling it to other companies. In essence, users could be the monetary beneficiaries of their personal data instead of companies.
- Right to be Forgotten: You can withdraw your consent and ask that all your data be erased, that your data can no longer be processed, and that your data can no longer be sold to third parties.
- Privacy by Design: When creating a new technological system, companies must include data protection in the way they set up their system from day one instead of adding it in later.
- Data Protection Officers: Companies whose core operations involve monitoring data on a large scale must implement internal record-keeping requirements. They will be required to hire Data Protection Officers who must report directly to the highest level of management of that company and who must register with the Data Protection Authorities in the EU.
Several startups have seen an opportunity to act as advisers to help users and businesses navigate the new regulations and understand data collection and privacy rules. For example, Personal Data.IO aims to make it easier for everyday users to understand what companies know about them.
With so many updates to read, I hope my trust is justified, but misplaced trust is how we ended up in Facebook and Cambridge Analytics messes in the first place.