Last Friday saw GDPR – the General Data Protection Regulation – come into effect. Countless companies sent out countless e-mails. But they all explained it from the companies’ point of view. So we have turned GDPR on its head and looked at it from your point of view – and we have done our very best to make it easy to understand.
Unless you live in a cave you will have received a lot of e-mails recently. They would all have told you that you needed to do something by last Friday, May 25th. Chances are that they were all along the lines of “Click this box if you want to go on receiving our e-mails.” (And even if you do live in a cave, someone probably tapped on your rock and said, “You need to chisel your name on this tablet of stone…”)
The reason is GDPR – the General Data Protection Regulation. It’s a new piece of legislation from the European Union designed to give you back control over your data – and it will remain law, even after the UK leaves the EU in March next year.
GDPR gives you significant rights – and place a lot of obligations on companies. So let us take a look at those rights and obligations, and the reasons why companies have been in such a rush to update their data protection and privacy policies.
What do companies have to do?
Essentially – and hence all the new policies – they have to clearly explain why they need your data, how they store it and how they use it, and what they will do if you want them to treat your data differently – or stop using your data altogether. They also need to clearly and simply explain who they are and what they do – and give you all the information you need if you want to get in touch with them.
Companies and organisations that handle data also need to appoint a Data Protection Officer (DPO). He or she is the person ultimately responsible for the company’s data – that means everything from complying with your requests to notifying the authorities of breaches which are likely to threaten the security of customers’ data. That now has to be done within 72 hours of the breach occurring. In theory, we will no longer see big organisations saying, “Oh, by the way, six months ago we lost the details of 20m account holders. Whoops. Sorry…”
Most companies will need to hold some data
Inevitably, companies will need to hold some data about you: if they are going to operate effectively and efficiently and deliver the service you signed up for then they will need to do that.
They will hold this data in one of two ways – personal data and anonymous data. Let us tackle anonymous first as, well, it just sounds more exciting.
Companies and organisations need to know how you move around their website – and they need to know how you arrived at their website. They do this by using the aggregation of a lot of data. You may have noticed that since last Friday “cookie” notices are popping up far more frequently on the sites you visit.
“Cookies” are small pieces of information stored on your browser. Every time you visit a site you start to collect cookies – and all these cookies added together give the site owner a virtual map of how people move around their website. So that is one way in which your data can be used but – as I will explain below – if you do not want your data to be used in this way you can opt out of it.
…And of course, companies hold personal data. That might be something as basic as an e-mail address if you have signed up for a newsletter or special offer. Again, the whole thrust of GDPR is to put you in control of your data, and you now have the right – among others – to see what data a company holds about you.
So what are your rights?
If you make a request to a company’s Data Protection Officer regarding your data, it must be acted upon within 28 days. There are no ifs, buts or maybes about this: the DPO must comply with your request within 28 days. Equally, they must also pass on your request to any relevant third parties: that might be a company like MailChimp that they use for sending out mailshots, or it may be another site that they have referred you to, or to which they have passed your details.
So at any point while a company is in possession of your data you can take all or any of the following actions:
You can exercise your “right to be forgotten”
What it means is exactly that. You can ask the company to delete all the data they hold on you.
You can ask that they stop processing your data
In this case, the company must stop using your data and anonymize any and all data they hold.
You can request access to your data
In this case, the company concerned should send you an e-mail file with all the data they have collected about you. Be aware that they might ask for proof of ID before they send the data out – in that case, the DPO should contact you to request the necessary proof.
You can ask companies and organisations to correct your data
If you think some of the data they hold about you is wrong, or incorrect, you can ask that your data is corrected.
You can impose restrictions on the processing of your data
It is fair to say we are getting into grey areas here, but GDPR allows you to impose restrictions on how your data is used. I suspect that 99% of people will simply say ‘stop using my data’ or ‘delete all my data.’ But the fact that there are degrees of restriction within the legislation is perhaps an indication of how seriously the EU legislators are taking GDPR.
You can object to profiling and/or direct marketing
Some sites will deliver special offers or marketing initiatives. In their new privacy policies, they will say they do this because “we believe the offers will be of benefit to our site users.” You might think they are trying to sell you something. If you do not want to see them any more let the company know and GDPR says they have to stop delivering these special offers.
Finally, you can ask that they move your data to a third-party location
I am not quite sure that anyone knows what this one means. Presumably, if you think Company X might be a target for hackers or spyware – but you want them to carry on using your data – you can ask that they store your data elsewhere. That sounds like a logistical nightmare, but it is there in the regulations…
One last point…
There are, inevitably, going to be mistakes made with GDPR – which leads to the last demand the regulations make of companies and organisations. They must spell out very clearly how you can complain if you think a mistake has been made or they have not complied with a request you have made.