The General Data Protection Regulation (GDPR) becomes law across Europe in May 2018, replacing a patchwork of data protection laws across the various member states and essentially making privacy the new norm.
Wide-ranging in its scope, a key theme is returning a lot more power over personal data to individuals, who will have new and increased rights over what personal data is collected, what it can be used for and what happens when they want to remove consent.
The GDPR also includes a ‘right to be forgotten’ as well as the right to know when your personal data has been hacked and replaces rules dating back to 1995 when the internet was in its infancy.
Completely in tune with digi.me’s vision to unlock the power of personal data by returning control and ownership to those who create it in the first place, the new law will apply to all businesses not just based in the EU, but also those dealing with EU citizens.
Here’s a quick guide to the main features:
- Privacy by design means that when you download an app or sign up for a service, you should not be asked for data that is not directly needed or relevant for the purposes of interacting with that app or service. Services should no longer be asking for capabilities they don’t actually need, which will immediately restrict data leakage.
- Explicit permission means just that – when you give permission to an app or website to have or use your details in a specific way, they can’t use it for any other purpose or, crucially, sell it on to third parties.
- Data portability gives you the right to ask for any data that a company has about you, which should be returned in a machine-readable form so that you can reuse it, for example to give it to another service provider.
- Giving someone your data doesn’t mean they will always have access to it – under the GDPR you have a right to be forgotten and will be able to ask companies or platforms to delete your data if you no longer want them to have it. The two caveats to this are a) that this won’t apply to some information that there is a legal requirement to keep, for example medical records and b) that it is also a personal right to forget, distinct from the 3rd party Right to be Forgotten, where individuals can request that outdated or undesirable information about them be removed from search engines. (read more about the difference here)
- Clear and affirmative consent will be needed before private data is processed and this will require an “active step” such as ticking a box. The Parliament is clear that “silence, pre-ticked boxes or inactivity will thus not constitute consent. In future, it should also be as easy for a person to withdraw consent as to give it.”
- Right to be informed in plain and clear language – MEPs have insisted that the new rules will put an end to “small print” privacy policies and that information should be given in clear and plain language before any data is collected.
- Clear limits on the use of profiling – new limits where automated processing of personal data is used to “analyse or predict a person’s performance at work, economic situation, location, health, preferences, reliability or behaviour”, including creditworthiness. Under the new regulation, profiling would generally only be allowed with the consent of the person concerned, where permitted by law or when needed to pursue a contract and should comprise a human element, including an expectation of the decision to be reached. MEPs also insisted that profiling should not lead to discrimination or be based solely on sensitive data, such as ethnic origin, political opinions, religion or sexual orientation.
- One law for the whole continent – one of the biggest attractions is that Europe will now be covered by one law, applied in the same way everywhere, instead of a patchwork of national ones. Eliminating the need to consult local lawyers in each country a business has dealings or premises will see direct cost savings as well as legal certainty. Savings from dealing with one pan-European law rather than 28 are estimated at €2.3bn per year.
- Regulatory one-stop shop – businesses will only have to deal with one regulatory body rather than 28, making it simpler and cheaper for companies to do business in the EU.
- The new rules promote techniques such as anonymisation (removing personally identifiable information where it is not needed), pseudonymisation (replacing personally identifiable material with artificial identifiers), and encryption (encoding messages so only those authorised can read it) to protect personal data.
Overall, the new data protection rules give businesses opportunities to remove the lack of trust that can affect people’s engagement through innovative uses of personal data, while giving individuals clear, effective information about what their data is being used for will help build trust in analytics and innovation for the benefit of all.
The new rules will be backed up by harsh sanctions including fines of up to 4pc of a company’s global turnover if they don’t comply.