If your inbox is anything like ours, it’s likely to be full of emails from various companies telling you that they’re either changing their privacy policy or asking if they can stay in touch. And over the next five days you’re going to start seeing not just more of these emails, but pop-ups on every website you use.
The reason for this is a European law known as the General Data Protection Regulation. It is the single largest piece of online privacy law ever created and when it is enforced on the 25 May it will fundamentally change the way companies handle your personal data online.
For the most part you won’t have to do anything during this change, but once it’s in place it will give you the ability to completely control your online identity. Here’s everything you need to know about GDPR and what rights it gives you.
What is GDPR?
GDPR is a collection of data protection laws affecting any person who lives inside the European Union. They require that any personal information given or collected about you is stored securely, is easily accessible by you, and can be deleted with ease at any point.
Personal information includes everything from passwords to email addresses and photos, to posts on social media. It also includes all the data that websites collect on you such as the phone you use, how long you spend on it, your location and even the operating system you’re running on.
All of this information must now be protected and every website, app or company that collects this information must let you know how it’s using it and give you the control to stop them.
Essentially this can all be boiled down into four main rights.
1. You have the right to be told about what a company is doing with your data
Every company that wants to collect data about you has to tell you that it’s going to do that and it has to do so in a way that’s easy to understand.
Over the next few days you’ll start seeing notices from websites asking your permission to do just this. Most of them will simply ask you to ‘agree’ – but of course you also have the right to disagree. If you don’t like the kind of data that a website is collecting you can say so, and as such that company will be bound to stop acquiring it. However, that might mean you won’t be able to visit a site anymore.
If you agree, then a website must now show you exactly how it’s collecting your personal data and why. To do this, most sites and services will start featuring a ‘dashboard’ that shows you in real-time the type of data that’s collected. A really great example is Google’s privacy dashboard which gives you almost exhaustive access to all the ways in which Google is collecting information about you.
For most websites, data collection will mostly be focused around advertising. A brand might log which products you look at and when, for example. That information might then be used to show you advertising of similar products as you look elsewhere on the internet. These dashboards will allow you to control how much of this targeted advertising you see and even if you want to see it at all.
2. You have the right to access and download this data
In much the same way that Facebook lets you download every piece of information that it has on you, GDPR requires that every company now offers this. That means that whether it’s Twitter, Google, Nike, LinkedIn, Asos or Facebook you have the right to ask them for all the information they hold about you.
The company has just one month to provide you with that information once you’ve requested it. More importantly it has to do it free of charge, and it must make sure that the information you download is clearly legible and compatible with all modern computers.
There are some cases where a company can reasonably decline to provide you with this information. This is either when you already have the data or handing the data over would involve a disproportionate amount of effort.
3. You have the right to move data safely and securely between companies
The right to data portability will mostly affect the way that companies handle your data with other companies.
It means that if they want to share personally identifiable data they have on you e.g. medical records, they have to share it securely and in a way that won’t be accessible by criminals or hackers.
It also means that if you personally want to move that data around, you’ll have the ability to do so, again in a secure and responsible way.
This right is about fundamentally making sure that as companies start throwing around information they have on you, they have to do it properly.
4. You have the right to delete this data
This is your right to be ‘forgotten’ by the internet and it’s one of the most powerful rights you have under the GDPR.
In terms of Google, Facebook and Twitter this right effectively allows you to demand that any of these companies remove and permanently delete that data from their servers. This could also apply to a company like Amazon, or AutoTrader or even Match.com.
Your right to have this information deleted can be overruled for the following reasons:
-
to exercise the right of freedom of expression and information;
-
to comply with a legal obligation;
-
for the performance of a task carried out in the public interest or in the exercise of official authority;
-
for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
-
for the establishment, exercise or defence of legal claims.