The General Data Protection Regulation (GDPR) becomes law across Europe in under a month.
Wide-ranging in its scope and making privacy the new norm, the key theme is giving individuals a lot more power over their personal data.
These include new and increased rights over what personal data is collected, what it can be used for and what happens when they want to remove consent.
Completely in tune with digi.me’s vision to unlock the power of personal data by returning control and ownership to those who create it in the first place, the new law will apply to all businesses not just based in the EU, but also those dealing with EU citizens.
Julian Ranger, digi.me’s Founder and Executive Chairman said: “Fundamentally, with this new legislation, everyone is treating everyone else like proper grown-up adults and it stimulates innovation – good for individuals and businesses alike.”
Here’s a quick guide to the legislation’s ten main features:
- Privacy by design means that when you download an app or sign up for a service, you should not be asked for data that is not directly needed or relevant for the purposes of using that app or service.
- Explicit permission means what it says on the tin – when you give permission to an app or website to have or use your details in a specific way, they can’t use it for any other purpose or, crucially, sell it on to third parties.
- Data portability gives you the right to ask for any data that a company has about you in a machine-readable format so that you can reuse it, for example to give it to another service provider. Ideally, this would be through an API, although the legislation doesn’t mandate this. One of digi.me’s key differentiators is accessing all these APIs and other interfaces and normalising data from a variety of sources in one place, and we will continue to make life easier for all in this way
- Giving someone your data doesn’t mean they can keep it forever – under the GDPR you have a right to be forgotten and will be able to ask companies or platforms to delete your data if you no longer want them to have it. The two exceptions to this are a) that it won’t apply to information that there is a legal requirement to keep, such as medical records and b) that it is also a personal right to forget, distinct from the 3rd party Right to be Forgotten, where individuals can request that outdated or undesirable information about them be removed from search engines.
- Clear and affirmative consent will be needed before private data is processed and this will require an “active step” such as ticking a box. The Parliament was clear when the legislation was announced that “silence, pre-ticked boxes or inactivity will thus not constitute consent. In future, it should also be as easy for a person to withdraw consent as to give it.”
- A right to be informed in plain and clear language – MEPs have insisted that the new rules will put an end to “small print” privacy policies and that information should be given in clear and plain language before any data is collected.
- Clear limits on the use of profiling – there will be new limits where automated processing of personal data is used to “analyse or predict a person’s performance at work, economic situation, location, health, preferences, reliability or behaviour”, including creditworthiness. Under the new regulation, profiling would generally only be allowed with the consent of the person concerned, where permitted by law or when needed to pursue a contract and requires human intervention. MEPs have also insisted that profiling should not lead to discrimination or be based solely on sensitive data, such as ethnic origin, political opinions, religion or sexual orientation.
- One law for the whole continent – one of the biggest attractions is that Europe will now be covered by one law, applied in the same way everywhere, instead of a patchwork of national ones dating back to when the internet was in its infancy. Savings from dealing with one pan-European law rather than 28 are estimated at €2.3bn per year.
- A regulatory one-stop shop – businesses will only have to deal with one regulatory body rather than 28, making it simpler and cheaper for companies to do business in the EU.
- The new rules promote techniques such as anonymisation (removing personally identifiable information where it is not needed), pseudonymisation (replacing personally identifiable material with artificial identifiers), and encryption (encoding messages so only those authorised can read it) to protect personal data.
Overall, the new data protection rules give businesses opportunities to innovate and win back trust from consumers, while giving individuals clear, effective information about how their data is being used.
The new rules, which come into force on May 25, will be backed up by harsh sanctions including fines of up to 4pc of a company’s global turnover if they don’t comply.