Sweeping new data protection rules will be approved for the EU soon – but what does it actually mean for you and me?
The General Data Protection Regulation (GDPR), which is expected to be ratified by the EU within weeks, replaces a patchwork of data protection laws across the various member states, and is expected to become law within two years.
It is wide-ranging and thorough, returning a lot more power back to individuals over what personal data is collected, what it can be used for and what happens when an individual wants to remove consent, and will apply to all businesses not just based in the EU, but also those dealing with EU citizens.
Very much in tune with digi.me’s vision to unlock the power of personal data by returning control and ownership to those who create that data in the first place, the four main strands that affect individuals are privacy by design, explicit permission, data portability and the right to forget – here’s a quick guide to each:
- Privacy by design means that when you download an app or sign up for a service, you should not be asked for data that is not directly needed for the purposes of interacting with that app or service. We should no longer have services asking for capabilities they don’t need, which will immediately restrict data leakage.
- Explicit permission means just that – when you give permission to an app or website to have or use your details in one specific way, they can’t use it for any other purpose or, crucially, sell it on to third parties.
- Data portability means you will have the right to ask for any data that a company has about you, which should be returned in a machine-readable form so that you can reuse it. This could be through the site’s API, although some may make try to make this tricky for users. One of digi.me’s key differentiators is accessing all these APIs and other interfaces and normalising data from a variety of sources, and we will continue to make life easier for all in this way
- Giving someone your data doesn’t mean they will always have access to it – under the GDPR you will be able to revoke permissions and ask companies or platforms to forget it. The two caveats to this are a) that this won’t apply to some information that there is a legal requirement to keep, for example medical records on which a medical decision has been made and b) that it is also a personal right to forget, and not to be confused with the controversy around Google and third parties being told not to link to stories and information about individuals that still exist online.
digi.me founder and chairman Julian Ranger said that the first two measures alone will put each and every individual in a much stronger position, with companies only able to ask for relevant data and then use that information for a specific purpose.
He added that businesses that rely heavily on the sale or trade of third party data are going to see their current business model destroyed and will have to abide by the new rules to get the data they need or want – but crucially directly, not around the side of individuals as now.
He said: “Apps and platforms such as digi.me, which put individuals back in control of their collected data but allow businesses to approach them for permission to use it, will become the new gold standard, as the rights of EU citizens over their data trump the desire of businesses to gather as much as they can.
“Each and every individual will be in a stronger position, while the data businesses do get will be richer and deeper in every way, and thus more useful, although there is no doubt this will be a sea change for many.
“With digi.me, if you own and control your own data, then businesses that request it in an exchange for an offer or service will be fully compliant with all these best practices.
“Fundamentally, with this new legislation, everyone is treating everyone else like proper grown-up adults and it stimulates innovation – good for individuals and businesses alike.”
Oversight of the new legislation, when passed, will be by the existing channels at country and EU level, including the Information Commissioner in the UK, with significant fines for companies found not to be complying.