With the enforcement of the General Data Protection Regulation earlier this year, many are still unaware of what these changes entail. Here is a comprehensive breakdown of what GDPR means for ordinary internet users. In this article I will talk about the reasons behind GDPR’s implementation; go through its core principles and mechanisms and outline the individual rights it introduces for data subjects.
The General Data Protection Regulation is a European Union regulation that was introduced in May of 2018 as a means to update the Data Protection Directive that was in place at the time.
Part of the reasoning behind its implementation had to do with the rapidly-changing technological landscape that has characterized the internet in the past decade and a half. New challenges in relation to the waysinformation is handled have risen, particularly when it comes to personal data.
This is especially relevant in the case of private companies and certain public authorities – the processing of information by these bodies in order to pursue their activities has resulted in personal data being made globally available at rates never seen before.
The sheer amount of personal data being processed and utilized in different ways requires some measures in order to manage accordingly -hence GDPR.
Technically speaking, GDPR was implemented for two core reasons:
- In order to increase individuals within the EU’s control over their personal data by regulating the ways businesses use data.
- In order to create a standardized internetregulation across all 28 EU member states. Making the law equal for all member states is predicted to save EU businesses around €2.3 billion due to a decrease in burdensome policy fragmentation.
It is also relevant to also note that GDPR may affect some businesses outside of the EU – this is the case if said businesses sell goods and services to EU individuals.
In fact, it is quite likely that more and more nations and institutions will implement the same internet regulations in what is known as the “Brussels Effect” – essentially policy learning that follows EU regulation due to its worldwide influence.
According to GDPR, Personal data is defined as “any information related to a person that can be used to directly or indirectly identify that person.” This encompasses many things, such as:
- Email address
- Home address
- Bank details
- Social media posts
- Medical information
- IP address
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
There are three main parties involved in the management of personal data:
- Data controllers–this is “a person, a company, or other body that determines the purpose and means of personal data processing.”
- Data processors–this is “any person (other than an employee of the data controller) who processes data on behalf of the data controller.”
- Data subjects–this is “any individual person who can be identified, directly or indirectly, via their personal data. In other words, an end user whose personal data can be collected.”
Ordinary internet users will fall under the category of data subjects. GDPR introduces a set of seven data processing principles intended to “lie at the heart of a company’s approach to processing personal data” – these are guidelines for the processing of personal data.
- Lawfulness, fairness and transparency–this entails that a company must have valid grounds under GDPR for the processing of individuals’ personal data. Furthermore, it need to be transparent and honest in the ways it is being processed and used.
- Purpose limitation–a company must be clear from the beginning with their purposes for the processing of personal data. This purpose must be recorded and if it ever changes, either consent needs to be gained once more or it must be on an otherwise lawful basis.
- Data minimisation–the data processed by a company must be adequate, relevant and limited to what is necessary in relation to the purpose of its processing.
- Accuracy–steps should be taken by a company to ensure that an individuals’ personal data is accurate and not misleading. This entails updating it if necessary as well as taking action in the case of incorrect or misleading data.
- Storage limitation–personal data should not be kept for longer than needed. The keeping of personal data for long periods of time should always be justified by the purpose of its processing.
- Integrity and confidentiality (security)–appropriate measures should be in place in order to protect and maintain personal data.
- Accountability principle–this principle requires that companies take appropriate responsibility in regards to their personal data processing activities and compliance with other GDPR principles.
These guidelines for data controllers and data processors should ensure that data subjects’ personal data is managed and processed in better, safer and more responsible ways.
However, GDPR does not stop here – there is also a set of sevenindividual rights for data subjects aimed at further ensuring that companies do not merely engage in“tick-box compliance” and actually are disciplined and more responsible in their activities. These are the rights:
- The right to be informed –individuals have the right to be informed about the collection and processing of their personal data.
- The right of access – individuals have the right to access their personal data.
- The right to rectification – individuals have the right to ensure that information about them is correct, as well as to demand corrections in case it is not.
- The right to erasure – also known as ‘the right to be forgotten’, this is an individual’s right to demand their information be deleted by a company who holds it.
- The right to restrict processing – this is the right to deny a company the right to process your data, even in the case that you granted consent – you can take it away at any point.
- The right to data portability – this is an individual’s right to transfer their data between different companies or services.
- The right to object –this is the right to demand companies to cease using your personal data in ways you disagree or object to.
All in all, these are welcome changes in the ways we manage our personal data. These principles and individual rights as well as other measures that are part of GDPR likely render it the world’s most significant and profound regulation when it comes to internet privacy.
As I mentioned in the introduction, the changing technological landscape that is growing before our eyes will require us to adapt in different ways – my hope is that we do not stifle it with excessive regulation and red tape while simultaneously ensuring that we keep it under control. Ultimately, GDPR’s effectiveness will be seen in the coming years.
Check out the “55 things you need to know about GDPR” infographic from Casino Pick;