You may have seen the initials GDPR popping up in the news, on your social feeds and possibly even at work. The letters stand for the General Data Protection Regulation. You may have skipped over it because it sounded boring, or the article was for businesses, or you don’t have anything to do with personal data.
You are right, of course, most stuff about GDPR is tedious, specifically directed at organisations and your time is valuable and you must use it wisely. However, you DO have something to do with personal data – your own and that of your family.
So, for a change, let’s give the person about whom the new law has been written to protect (you) an insight into what it does for them. I’ve tried to make it light-hearted and easy to read – tell me if you think it needs improving.
Let’s kick-off, and to ensure we are all on the same page, I need to start with the basics, namely, the language of the law…
Terms of Endearment
As you are well aware, the world lives on terminology, abbreviations and synonyms. The GDPR (best get used to that one) has some key terms that we can use to endear you to this article:
- Personal Data – facts collected together for reference or analysis about YOU.
- Data Subject – YOU and, by extension, everyone you know and love.
- Data Controller – An organisation, or individual, who collects YOUR data for a stated purpose and decides how it is processed.
- Data Processor – An organisation, or individual, who uses YOUR data for a specified purpose.
- Legal Basis – The lawful grounds a Data Controller has to process YOUR data
- Consent – Permission, provided by YOU, or your parents if you are under 16 (or 13 later this year) to say that YOUR data may be used for a purpose
- Rights – YOUR entitlement to be in control of YOUR data
- Measures – Steps that a Data Controller and Processor need to take to look after YOUR data and keep it safe
There are far more of these terms, but this gives us enough evidence to show that this new regulation certainly has YOUR interests at heart. I will stop the capitals now!
Many countries across the world have an existing Data Protection Law of some form. In the UK, the current Act came into force in 1998. You can see from the infographic (From Visually.) that, in terms of electronic data, that law was written around the time the first DVD’s came into being. Since then, the increase in the capacity of cheap digital storage has increased, well let’s say exponentially and see if anyone complains. What other things that didn’t exist back then:
- 1998 – Bluetooth launched and wireless had a new meaning
- 1999 – Friends Reunited was the first big social network
- 2001 – 3G Mobile network gets more data to your phone
- 2004 – Facebook launches – now with 2.2 billion active users
- 2005 – YouTube starts its cat video collection
- 2007 – First Apple iPhone and the start of the smartphone age
- 2007 – Google StreetView starts sharing pictures of roads
- 2009 – 4G networks launch and the truly mobile internet
- 2010 – Instagram, a new way to show what you’re doing
- 2011 – 1.85 million CCTV cameras monitoring you
- 2012 – Tinder takes swiping to a whole new level
- 2013 – Hold on, now it’s over 5.9 million cameras
- 2016 – Pokemon Go, tracking augmented critters near you
- 2017 – No. of devices linked to the internet hits 8 billion
The list is almost endless and any of these advances could use your information, your location, your image, your activity, your preferences.
A new law was needed because the organisations collecting and using this data are doing some very clever stuff with it.
Should you be worried about personal data?
I don’t really want to scare you. However, informed concern is a good starting place from which to take action. A few terms that have sprung up, or grown in popularity, in the past 20 years might help highlight the current situation:
- Doxing – You may have done this yourself but called it something else; you searched the internet for published, private or identifying information about someone. It may have been through concern or genuine interest (e.g. daughters new boyfriend!!) or it could be nosy or with malicious intent. What are people finding about you and your family?
- Profiling – the recording and analysis of a person’s data so as to assess or predict their future actions, needs or habits is how stores can send you vouchers for just the right products or show you adverts for just what you were looking for. Is that all they can do?
- Hacking – an illegal activity of trying to gain access to data to which you don’t have the legal right to view. This phrase has become so common, even my 89-year-old mother knows what it means – that must suggest that it’s happening a lot… with your data
- Spam – unwanted communications such as emails, text messages, telephone calls along with clever recorded voice interactions have become the norm. You may have already bought products to stop them, but how do they know you had an accident in past 3 years?
- The Internet of Things – This is the connected generation. Fridges, heating systems, tablets, game consoles, blood pressure monitors, fitness equipment, cars, TVs have all started connecting to the internet (just the newer ones, not spontaneously!). This provides a wealth of what appears to be non-personal data to the manufacturers and even the public. (see the Wired article “The Strava Heat Map and the End of Secrets“)
- Over-Sharenting – Love this one. Various reports (such as) have estimated that the average 5-year-old child has over 1000 pictures of themselves on-line… without their permission, surprisingly enough. What happens when they want their privacy or anonymity?
- Surveillance – In 2013 the number of CCTV cameras was placed as high as 5.9 million (see report). In the latest Surveillance Camera Commissioners (who knew they existed!) Annual report it was suggested that, with body-worn cameras, dashboard/helmet cameras, drones, and household surveillance, the true number is significantly higher than 6 million. If we’re caught on a person’s camera, what happens to that data?
I think that’s enough to get the “juices of concern” flowing, now what can we do now you have an appetite for action.
How does the GDPR improve the situation?
Firstly, Business and organisations that use your data should be working to improve how they handle data. This will likely result in changes in how they communicate with you, making their reasons for using your data clear and, if necessary, confirming that you are happy to continue with the relationship. Hopefully, over time, this will reduce the number of spam emails, especially if you take the appropriate actions (see below)
The GDPR requires that appropriate measures are used to secure personal data, depending on the quantity, sensitivity and dangers surrounding it. So, existing security arrangements will be reviewed and improved measures put in place where necessary.
Above all, you should see better, more open and transparent use of your data. You should be aware of what an organisation will do with your data, why they are doing it and where it is being done. You will be able to easily find out who to contact in a company should you not understand what they have said in their privacy notices.
Finally, and conveniently leading into the next bit, there are improved “rights” for the data subject (you).
So, you have rights. What can you do with them?
There are some specific entitlements that you have over your personal data. You have the right to:
You should know about how, when and why your data is being used. You should get this information when it is being collected from you or, if they get it from somewhere else, they must tell you soon after receiving it. Being informed cannot be obscured in legal terms and conditions, it must be provided in a clear, concise and understandable way. If it’s not, you can take action (see below)
Request can be made to an organisation that is using your data so that you can see what they are using and some other information, mainly what should be in privacy notices anyway. There is no charge for these requests and they should be answered within 1 month, although that could be extended with good reasons. However, repetitive requests on your part could lead to administrative charges being raised.
If you find that an organisation is using incorrect data about you, then you can request it be corrected. You can make this request verbally or in writing and it should be completed within 1 month. It’s important that your data is accurate and up-to-date, to reduce errors, and although the burden is with the organisations to make sure they are using the right information we can all help (See actions below!)
This one has also been dubbed “The right to be forgotten”. Much the same as the right to rectification, you can also request for an organisation to erase your data. However, not all organisations process your data because you ask them to. Some, like the tax office, local councils and government agencies, have other lawful reasons for using and keeping your details – so don’t think you can “go off the grid” that easily.
There is also the problem of telling an organisation to erase your data and then they start contacting you as if you are a stranger – far more likely will be the request to cease processing, erase all you can, but leave a small indication that you don’t want to be contacted again. Each organisation will have its own battle with this particular right.
As with rectification and erasure, this is another right that is not always achievable. This right means that you can request that an organisation limits the way it uses your data. This is likely going to be for a specific period whilst the underlying issue is resolved, such as inaccurate data or resolving the lawfulness of the processing. This could be very useful if you know an organisation has data that you need but they are just about to delete it (good housekeeping and all that!) – you could ask them to restrict that process until you have what you need.
Moving your data from one service provider to another becomes easier with this right in place. You can request that your personal data is provided in a useful format so that other organisations can use it. There is also an aspect of this which will allow you to request that your data is securely sent to another organisation directly. As an example, you could ask your current car insurers to send all your personal data relating to your vehicle insurance to your new provider, thereby preventing you having to remember, record and re-enter all your details of past claims. The moving of this data from one storage area to another in a secure manner is a key factor that organisations will need to provide.
You may oppose your data being used for direct marketing, profiling, statistics, research or when an organisation is using, what’s lovingly called, “legitimate interests” for why they are using your data. The organisation can still make a case for continuing processing but must stop using your data immediately whilst they try to reason with you or remove you.
Not be subject to automatic decision making and profiling
“The computer says no” problem is partially addressed with this right. Amongst other things, you can request that a human intervenes in an automated process and review any decisions manually. It may still come up “no” but at least, possibly, cold logic isn’t solely in use! Suffice to say you need to take some action (see next section) to know whether this right is of use to you.
We each can take actions to could make a difference by helping organisations truly appreciate what you understand, what you want and that the personal data of you and your family is important to you. Try these actions for starters:
- Know where your data is – make a conscious effort to work out who holds what on you and those for whom you are responsible.
- Find out whether the organisations that are processing your data are making efforts to improve – Check privacy notices, see if you can find out who in the organisation is responsible for the security of your data, look and see if they are openly making efforts to improve the way they handle personal data
- Before providing any personal information – check the privacy notice, it should be easy to understand and make you very clear on what they do with your data once they have it. Read the notices on forms before you fill them in. If you are signing up for something which requires you accept terms and conditions READ THEM – I know you don’t want to, but it’s a contract you are signing and if they are serious about GDPR it will be easier to read and understand than it was before.
- Check data – There are services that can help you see what data is out there about you. For example, Noddle is a free service (not the only one of its kind, but it is the one I use) which will show you what financial information is used to make decisions about you – it’s a good place to start without invoking your Right of Access!
- Use the unsubscribe function – If you don’t want a regular communication, unsubscribe – simple as that. If the sender doesn’t appear reputable though, marking it as spam in your email system is a good way of getting out of your inbox for good.
- Complain to an organisation if their Data Protection information is poor – If you don’t understand a privacy notice or terms and conditions or feel unsure about their proper handling of your data, tell them first. If you do not get a satisfactory response within a month, you may want to consider raising a concern to the Information Commissioner’s Office (ICO) who oversee the enforcement of this law.
- Check your social network settings – Facebook, WhatsApp, LinkedIn, Pinterest, Instagram, Twitter, Tumblr, (the list is nearly endless) all have security settings and many are working really hard to protect your data – but you can disable them or be unaware of the features and be leaving yourself open to some of the dangers I listed above.
As I said before, there is a lot of business media coverage on this new Data Protection Regulation and there will be much more, no doubt. The onus is very much on organisations doing the right thing towards you and the data of yours that they process. This will be an evolving experience for all of us, with various styles and approaches tried to achieve the challenging requirements of this law.
Many organisations are truly doing their best for you and your data. They have quite a challenge on their hands with this new law. I am in no way advocating a mass attack on these organisations but merely requesting that we each take a part in improving the way that personal data is perceived. If you run an organisation or business and you aren’t sure you are compliant, you need to get going.
Generally speaking, the average person hands out personal information with little or no thought, usually assuming that organisations have got their house in order. Don’t be that person anymore. Find out and check up on who is using your data and why – it is essential for yourself and those you love to get this under control, NOW!