$type=grid$count=3$m=0$sn=0$rm=0$show=home

What is gdpr (General Data Protection Regulation)?

SHARE:

Businesses are often told that data is the new oil; the raw resource that will power them to new heights. No wonder, then, that they’re so interested in accumulating our personal information. By targeting advertising at us, collecting our information and reselling it, and a whole range of other abuses, our data is big business.

what is gdpr (General Data Protection Regulation)
Image Credit: Pixabay

This wealth of data is not just valuable to companies, either. Hackers want your information to sell or to use to break into valuable accounts. And personal data can even be used for shady purposes, with companies such as Cambridge Analytica harvesting 87 million Facebook profiles.

Well, enough is enough. The excesses of the last few years haven’t gone unnoticed by European Union (EU) policymakers, who have introduced the General Data Protection Regulation (GDPR) to curb data misuse, force companies to boost security and put control back in your hands.

The GDPR, which came into force on 25th May, applies to any company operating and processing data in any EU country. There are no loopholes in it, and companies such as Facebook can’t just ship your data off to a foreign destination to carry on as they were. Also important to note is that, however Britain ends up exiting the EU, the UK government has already confirmed that GDPR rules will continue to apply.

Within GDPR there are eight individual rights enshrined that set out how your personal data can be collected, processed and used. Most importantly, it puts this control into your hands, with businesses, from the smallest to the largest, responsible for protecting your information and, if you ask, divulging what’s stored or deleting it forever.

In this feature, we’ll show how GDPR applies to you and how you can use its new powers to keep control of your data.

WHAT IS GDPR?

While the UK and other EU member states have had data protection rules for a long time, they haven’t been particularly effective in preventing mass data collection and processing. Nor have they pushed companies into boosting their security, with large-scale hacks of the likes of Yahoo! and TalkTalk seemingly taking place all too regularly.

GDPR aims to rectify that, forcing companies to boost security to prevent hacks having an impact, while reducing the amount of processing that can be done on your data. Finally, the control over data has been pushed back into your hands, where it belongs.

To show that the regulators are serious about the new rules, the maximum fines for companies found to be in breach of the regulations, or that lose personal data, are now €20m, or 4% of worldwide turnover, whichever is greatest.

These fines apply whether data has been lost accidentally or through a massive hack. Take TalkTalk, which was fined a record £400,000 in 2016 when it was hacked; under the new rules, this could have been up to £70m. That’s a good incentive for companies to take security more seriously and protect their customers’ data. It will be up to UK privacy watchdog the Information Commissioner’s Office (ICO) to manage fines, with the worst and most negligent offenders likely to get the biggest financial penalties.

HOW DOES GDPR AFFECT ME?

GDPR is a big issue for businesses, with every company from the multi-global enterprise to the one-man band having to overhaul their privacy statements and the ways they process data and deal with security. Most information about GDPR has, as a result, focused on helping business owners get things right.

Yet the regulation is there to protect individuals, and give them the data privacy and control that they need. As such, GDPR has a set of rights that give you more control over your data, and the option to prevent your data from being used by a company.

It’s the biggest shake-up to privacy laws that we’ve ever seen, and GDPR is designed to give us the power to look after our data and hold companies that don’t take the responsibility seriously to account. Here, we’re looking at how GDPR affects companies, your eight rights and the way that you can use them.

MORE INFORMATION

Under older data protection laws, only a certain set of companies legally had to report a breach of personal data. Typically, reported breaches tended to be large-scale hacks, such as with Yahoo! or TalkTalk. With GDPR, companies now have to be more open, and all breaches where personal data was at risk have to be reported to the authorities and communicated to customers.

That’s great news, as it forces companies to disclose information about threats and how your data could have been misused. After the large-scale breaches we’ve seen, trust in firms is at an all-time low. With GDPR, the details about how your data is treated comes to you.

While knowing that your data may have been hacked isn’t great news, it’s better to know than have a company try to hide the information. Wider breach reporting means it will be easier to keep an eye on which companies to trust, and which ones to avoid.

YOUR 8 CORE RIGHTS

#1 THE RIGHT TO BE INFORMED

One of the biggest changes with GDPR is how companies have to signpost the way that they collect and use your data. How many times have you signed up for a new website or service, only to be met with an impenetrable block of text that you’d have to be a legal genius to interpret?

No more is this allowed. Thanks to the right to be informed, companies have to present clear terms and conditions, written in natural language. These terms and conditions must explain exactly what your data is being collected for, how it will be processed, where else it will be shared and how long it will be stored for.

You’ve probably noticed over recent months that companies have been revamping their terms and conditions, requiring you to agree to the details. Facebook, for example, has had a big splash page asking its users to consent to processing images for automatic tagging. All of this is to ensure that the company stays within its GDPR obligations. Similar moves have been made by other companies.

For example, Waitrose has sent out a clear email stating how data will be collected, how it will be used and how it will be shared. Other companies are following suit.

All of this clear information is a good opportunity to review what you share with companies and to examine if you’re happy to continue receiving communications from them. When you sign up for new services, you’ll have a clearer idea of how your data will be used, letting you choose if you want to carry on.

HOW CAN COMPANIES PROCESS YOUR DATA?

There are several ways companies can process your data. For many tasks, it’s a matter of getting your consent. GDPR is very clear that consent has to be willingly given; which means opting in, with pre-ticked boxes banned.

Consent has to be granular, too, giving you the option to agree to something, but to deny consent elsewhere. Importantly, there’s no wriggle room when it comes to consent. So if a company seeks and gets your permission for one task, that consent does not apply to a new service or new way of using your data. Rather, the company needs to seek your consent for any new type of processing.

Failure to do any of the above means that a company is potentially in breach of GDPR and can be reported.

A LEGITIMATE INTEREST

While most companies will look to get consent for collecting and processing your data, there are some methods where companies don’t need consent to process your data. For example, shops don’t have to gain consent to process your data for the purposes of taking payment; a shop can also share your details with a courier in order to get an item delivered. This type of consent is known as a legitimate interest.

Under this part of GDPR, if a company believes that there’s a legitimate interest for processing your data or contacting you, then it can do without seeking permission. For example, if you buy a car and there’s a safety concern with it, the manufacturer would be able to contact you with a recall notification even if you’d opted out of marketing emails. Here, you would legitimately be interested in the information being sent to you.

Or a company fighting fraud may run checks that don’t affect privacy, but that could stop funds being stolen or your credit card being falsely charged.

However, it’s important for a company to have documentation proving that it has thought about legitimate interest, and has a good reason for using this to process your data. It’s clear that the ICO will not be happy with companies that send out spam under the pretence that the recipients would be legitimately interested in the marketing message. However, honest direct marketing can be a legitimate interest; fortunately, GDPR provides easy opt-out methods for this type of communication.

NO MORE SHARING

A hugely important change is that GDPR could kill off third-party marketing. Before the regulation, it was perfectly acceptable for a company to put a tickbox on their sign-up page that said something like, “You consent to related third parties communicating with you”. So sign up for car insurance, and you may accept breakdown companies emailing you.

Well, no more. Thanks to GDPR, if you sign up to any kind of contact, all of the companies that may contact you or have access to your data must be listed on the sign-up form; if they’re not, then they can’t contact you. The truth is that anyone faced with a huge box full of thousands of potential companies that may want to contact them will run a mile.

Companies may be bemoaning this change, as it affects the number of people that they can contact; as consumers we should be rejoicing, as this change should dramatically improve unsolicited marketing.

THE RIGHT TO REMOVE ACCESS

While GDPR should cut down on the amount of data sharing and processing that goes on, giving us all some much-needed privacy back, that’s not the end of the matter. Importantly, GDPR requires that it’s as easy for someone to withdraw consent to processing as easily as they sign up for it.

So if you want to stop getting marketing emails, being contacted by named third parties or just don’t want to use a service any more, there has to be a simple way for you to remove your consent.

Strictly speaking, the withdrawal method should be offered in the same way as the sign-up process. So if you signed up for a service over the phone, there should be a phone option to withdraw consent. ll this information should be easy to find. Companies that hide the opt-out information in an obscure part of their website are going to find themselves in a lot of trouble.

#2 THE RIGHT OF ACCESS

While we’ve looked at how companies should treat you and your data, there are parts of GDPR that put power firmly in your hands. One of the key tenements of GDPR is the right to data access. In other words, you now have the right to request any data that a company holds on you, from electronic notes and emails to any other database records. What’s more, the information has to be provided for free. Under the older Data Protection regulation, requests such as this were charged at £10 each.

Strictly speaking, GDPR does allow companies to make a charge, but this is only allowed in order to prevent widespread misuse of the power.

GDPR only allows companies to make a reasonable charge for data access if “a request is manifestly unfounded or excessive, particularly if it is repetitive”. By “reasonable cost”, the ICO says that this must be based on the administrative cost of processing the data. For example, asking for a data dump of everything that concerns you is a fair request; asking for a filter of information that specifically relates to you, mentioned in emails to specific people, between two dates, may be considered harder to achieve. Likewise, going back and repeatedly requesting the same information will land you with a charge.

The main thing to remember is that you shouldn’t be fobbed off or asked for money for legitimate requests.

#3 THE RIGHT TO RECTIFICATION

If you spot anything that is misleading or wrong with any bit of information that a company holds on you, you have the right to ask for it to be corrected. Companies are given one month to respond to this.

Having the right to ask for changes doesn’t mean that everything has to be updated to the way that you want it. For example, trying to get a company to change its credit rating for you because you think it’s wrong probably won’t get you far.

#4 THE RIGHT TO ERASURE

One of the most powerful rights under GDPR is the right to erasure, commonly known as the right to be forgotten. Under this right, you can ask a company to delete all digital records that it holds on you, and that further communication is prohibited.

There are restrictions to this right. The main one is that companies may retain documents and records for legal reasons. For example, shops may need to store records for tax purposes. Or there may be regulatory reasons why information has to be retained, such as banks needing to keep financial records for a set period of time.

However, while some data may be retained, it should only be stored for a situation when it’s required, and further processing and communication should stop. Companies have one month to reply to a request of this type.

#5 THE RIGHT TO RESTRICT PROCESSING

Under GDPR, the right to restrict processing is similar to the right to erasure, with companies unable to continue processing your data, only your personal data is not deleted.

Why would you want this? It could be that you’ve noticed an error in your records, so you can ask for processing to be paused while your information is corrected. Or you may need the company to hold on to your data, which you may need for a legal claim.

There are times when restrictions don’t apply. For example, a company could process your data in the pursuit of a legal claim.

#6 THE RIGHT TO DATA PORTABILITY

There’s another reason why you can request and get your data: portability. Rather than companies hanging on to all your data, GDPR requires more open access to your information. The idea is that you can take your data from one company and use it elsewhere.

The important aspect of this right is that your data has to be provided to you in a simple, secure way that doesn’t hinder its reuse elsewhere. So a company can’t provide you with a dump of its proprietary systems in a file that you can’t open; instead, open formats such as CSV files need to be used.

You may be thinking, why would you want to do this? The ICO has a good example with banking: “Midata is used to improve transparency across the banking industry by providing personal current account customers access to their transactional data for their account(s), which they can upload to a third-party price comparison website to compare and identify best value. A price comparison website displays alternative current account providers based on their own calculations.”

In some cases, companies may be able to share data directly with other companies, based on your permissions. However, companies are under no obligation to change their systems to make them compatible with their competitors’.

Requests of this type should be processed within one month.

#7 THE RIGHT TO OBJECT

The right to object is similar to the right to erasure and the right to restrict processing. It’s there to give you an opportunity to object to how your data is being used. Importantly, if your objection is about direct marketing, then the company has to stop immediately.

You can also object to a company claiming that it has a legitimate interest to contact you, asking them to prove that they do. Note that, aside from direct marketing, your objections may not be upheld. Instead, you may want to pursue either the right to erasure or the right to restrict processing.

#8 RIGHTS IN RELATION TO AUTOMATED DECISION MAKING AND PROFILING

This is a point that’s more for regulators looking into a company, but this right is designed to reduce the damage that profiling and automated decision-making can produce.

Specifically, fully automated decisions can’t be made that result in legal effects. The example given in the GDPR documentation is of someone being automatically turned down for a credit card or online recruiting processes. Companies instead have to have a human involved at some point to make things fairer.

Profiling is used by many companies to build up a picture of what you’re like using statistical analysis. This information can be used to set pricing, such as with insurance.

Profiling is not specifically outlawed by GDPR, but the controls are tighter. In particular, any profiling has to be free of discrimination. Recently, some insurance companies were found to have increased the cost of car insurance to people with Muslim-sounding names, for example.

What effect this part of GDPR will have on companies remains to be seen, but it’s not something you can generally use yourself, unlike the other rights we’ve looked at.

A FAIRER SOCIETY

GDPR is a huge improvement to data protection laws, giving us one of our most valuable assets back: our data. It should prevent large-scale misuses of data and, for the biggest offenders, there are massive fines waiting.

The new powers that we’ve outlined are yours to use, and they should be. Only when companies are properly held accountable for their actions will we start to see a change and a fairer use of our data.

COMMENTS

Name

Essentials,6,Gadgets,5,Health,12,Hobby,7,My Home,5,Photography,1,Tech,6,
ltr
item
Upscale Existence: What is gdpr (General Data Protection Regulation)?
What is gdpr (General Data Protection Regulation)?
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLUN0Mh8Q_d-MnS3Emef99ITHAqKmKe4tnCn-2T7TUMwfwDX08nkYJQobj7OrAUMGJhb_CuG0HhWpd91ZggdXPoEYgPkKrN14AkRsi3V14iuaAPA_ygZPRcATX1Uik_Izj8Rnalp803EQ/s640/what+is+gdpr.jpg
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLUN0Mh8Q_d-MnS3Emef99ITHAqKmKe4tnCn-2T7TUMwfwDX08nkYJQobj7OrAUMGJhb_CuG0HhWpd91ZggdXPoEYgPkKrN14AkRsi3V14iuaAPA_ygZPRcATX1Uik_Izj8Rnalp803EQ/s72-c/what+is+gdpr.jpg
Upscale Existence
https://upscaleexistence.blogspot.com/2018/06/what-is-gdpr-general-data-protection-regulation.html
https://upscaleexistence.blogspot.com/
http://upscaleexistence.blogspot.com/
http://upscaleexistence.blogspot.com/2018/06/what-is-gdpr-general-data-protection-regulation.html
true
4084387603938270859
UTF-8
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share to a social network STEP 2: Click the link on your social network Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy Table of Content