You know the drill: those who control the information rule the world. And as we are getting further entangled into the nets of various third-party applications - we are giving away more and more of our personal information for nondescript third-parties who use it as they see fit for their own good.
Even more so - most of the time we do it willfully on our own not fully comprehending possible consequences of such nonchalant and careless giveaways.
To make matters worse, until recently, there was no actual regulation regarding the use of personal information. That is why GDPR is so important.
Previously, we have covered why GDPR was implemented. This time we gonna explain how it works.
We live in a tumultuous time. At the current moment, information is probably the most valuable resource and it seems like there is some kind of a gold rush regarding getting bits and pieces of this precious matter. Everyone is digging for information in one way or another. Why? Because that is how companies make money these days.
And because of that - this is something that must be thoroughly regulated in order to prevent even the slightest possibility of abuse and misuse of personal information by any means - intentional or not. Users should know their rights and companies should know their responsibilities.
In GDPR, personal information is defined as a set of the following characteristics:
- Identity information
- ID numbers
- Web data
- IP Address
- Cookie Data
- RFID tags
- Health and genetic data / Biometric data
- Racial/ethnic data
- IP Addresses
- Identity specification
- Political opinions
- Sexual orientation
- Economic Status
DPD stated that the users have ownership rights over personal data after sharing it with the third party company in exchange for their services. GDPR elaborates on that and brings it to the solid grounds. It is designed to bring balance to the relationship between companies and users. Basically, it brings the principles of “fair game” to the data operations and installs clearly defined “code of conduct” regarding users and companies - something that was barely regulated by the GDPR predecessor DPD.
GDPR principles of Data protection include:
- Lawfulness, fairness, and transparency
- Limitation of purpose
- Minimization of data
- Limitation of storage
- Integrity and confidentiality
For the companies, GDPR outlines the rules of gathering and usage of the user’s information. It’s the biggest innovation is making user’s consent an absolute must. It is a requirement ignoring which can lead to significant fines. Any kind of data gathering is illicit unless there is user’s official consent.
GDPR stresses the importance of accountability in the process of building and maintaining trust between users and the company. It urges every company to follow its guidelines and demonstrate the compliance with the updated regulation.
One of the major goals of implementing GDPR was to clearly define who does what and how and why in the data processing operation. While it might seem really simply - the legal peculiarities are no joke and it all needed precise clarification.
The entire set of rights and responsibilities regarding data processing is divided between several parties:
- Data Subject aka User - a natural person who provides personal data for processing;
- Data Controller - an organization or company which determines the purposes and means of the processing of personal data;
- Data Processor - an organization or company that processes personal data on behalf of the controller. (Controller and Processor may be represented by one company)
Every involved party has a distinct set of rules and requirements. The document specifically describes procedures that should be undertaken in cases of system failures, hacks or data breaches.
GDPR requirements for the companies are the following:
- Perform data processing in a law-abiding, fair and transparent way with a valid consent from the subjected user that can be revoked at any time.
- Thoroughly explain the purpose of the data usage;
- Provide evidence of consent in a form of a signifying document;
- Limited data gathering to what is necessary for the specific purpose;
- Set time constraints over data storing to a period when certain data is necessary for correct operation;
- Maintain the accurateness of the data (by cooperating with the users AKA data subjects)
- Adoption of “privacy by default” principle. Basically, data protection must be considered for every new process or a system at the design stage;
- Store records of data processing that could be reviewed by regulators;
- Provide foolproof, sealed off data storing;
- Inform the authorities about data breaches within the 72-hour time frame;
- Inform user (AKA data subjects) about data breaches;
- Implement technical and organizational measures to ensure the protection of the user’s data rights;
- Conduct regular privacy risk assessments;
- Explain how and why personal data is going to be processed;
- Appoint a Data Protection Officer for overseeing the data processing activities;
Aside from that GDPR introduces a system of rather harsh fines for violating the guidelines. The way of imposing the fines is considered on a case by case basis and dependent on the level of the perpetration and the amount of damage done by the violation. Overall, fines are ranging up to €10 or €20 millions or 2% and 4% of the company’s global annual turnover of the previous financial year depending on the severity of the case.
On the other hand, GDPR gives users (AKA data subjects) an elaborate set of privacy rights that gives them tools to control the use of their personal information. Believe it or not, but while these rights seem obvious, until the adoption of GDPR they were not legally imposing.
Here they are:
- Right to be forgotten - i.e. erasure of gathered data;
- Right to object to automatic data processing;
- Right to restrict data gathering, processing or storing;
- Right to be informed of the means of the gathering of the personal data;
- Right to get a copy of the gathered information in its entirety;
- Right to revoke given consent;
- Right to have the personal record corrected at request.
The most important innovation for the users is giving the right to be forgotten which enable requests for the deletion of the personal data from the companies databases unless there is legal ground that justifies keeping the information. GDPR also regulate the conduct of automated decision-making routines and gives users the instruments to object or rectify its certain elements.
While it is hard to say how successful it will turn out, but judging from the documents, it seems like GDPR is going to force certain overachieving companies to pay their dues.
On the other hand, it finally gives the user distinct instruments to control their personal data and counter any possibility of its unlawful use.
* * *
This blog post is a part of the series. Click to read the other chapters: