The panic is now over we are now a few months down the line with life after GDPR so we have a look at the overview of the changes which were introduced.
Overview of changes
Enforced by the Information Commissioner’s Office (ICO) in the UK, GDPR has its own interpretations, of sorts, for each of the member states, where they agree on what ‘compliance’ and ‘noncompliance’ might look like. In the UK, this is still being discussed in the Houses of Parliament (for certain remits, especially around using data for research etc.) whereby the source of guidance, and the level of information provided is still fraught with uncertainties.
An important factor to take into account is the territorial scope of GDPR (Article 3, 22-25). For most of us reading this, this includes everything we do. Now if you take off your ‘work’ hats, and think about what that means to us as individuals, whose data is being processed by companies within and outside of EU, this includes both companies with an office in the EU even if they may not necessarily do any ‘data processing’ within EU (beyond their requirement to comply with international laws). It also means that for types of processing activities, companies based outside of EU still need to comply with GDPR and protect our information. These can include companies offering goods or services (regardless of whether payment processing takes place) to EU citizens, or companies who monitor EU citizens’ ‘behaviour’, insofar as their behaviour takes place in the Union.
Increased rights to data subjects
Gone are the days where we knew nothing about whether our information was passed around, or even subject to a potential breach. GDPR brings in additional rights for us, as individuals, to our personal information. From having to notify us that they are using our information to seeking our permission to use the same data for anything new, companies have to tell us what information they collect about us, what they’ll use it for, and more importantly, why they’re doing it- all in a clear understandable way, and not hidden in the terms and conditions. Sounds nice, doesn't it?
Below are some of the key rights to individuals:
- Breach notification– the organisations are required to inform us of a data breach straightaway (if they accidentally or otherwise disclosed our personal information to anyone unauthorised). They also have to report certain breaches to ICO as before, but they’ll have to keep a log of ALL breaches that have happened regardless of whether it needed to be reported to the ICO.
- Right to Access– We can go to an organisation and get free, electronic, information on whether any of our information is being processed, listing all the ways it’s being processed, and why.
- Right to be Forgotten– we can go to an organisation and request for our data to no longer be processed by the organisation. This, while it sounds desirable, will not be applicable to companies that hold data for undertaking task as a public authority (or in the public interest. For instance, I can’t ask my university to ‘forget’ me in the way we might think. All information but that which concerns our academic achievement can be removed potentially, but article 17 outlines the details.
- Data portability– this is a new ‘right’ for the individual. Essentially, we can go to an organisation that processes our information and ask them to transfer ALL data they have on us, to another data controller. Essentially like switching current accounts with banks, but for companies we may have used for years for a purpose (and while we’re not happy with the data being processed, have resigned to the fact that it’s worth it for the years we’ve been with the company). This is one to keep an eye on, as to how companies will market this.
- Privacy by design– this, though not a new concept, is only now becoming legal. The companies will have to undertake data privacy impact assessments before undertaking any new processing of our information, especially if it makes automated decisions about us. If a company decides it’s going to go into business with another company and sell a new type of service or good to both their customers, they’ll have to do a risk assessment as to how the pooling of data from both companies may affect the rights of citizens to privacy, and how they can do it without causing undue harm to the data subjects.
- Data Protection Officers– last but not least, all large organisations are required to have a Data Protection Officer appointed, with appropriate experience and training, as well as not having any other tasks that are conflicting to this role. This means that we can, go and find out who the data protection officer is, for an organisation; and also have a conversation about our information with someone appropriately trained without being passed around from middle manager to middle manager.
For you and I, this brings into scope a whole raft of website (I bet you’re thinking of them all as you read these). The obvious ones are the big corporates like Apple, Facebook and Amazon, who have been monitoring our activities online, and collecting huge amounts of data about us (and selling it on) since they came into existence. All selling us services, goods and also monitoring out behaviour online, we have never before had control over what they’ve done with our data, nor what they proposed to do in the future. The big lie we’ve come to accept as a fact of life has been the ‘accept’ terms and conditions button we click on countless sites.
What has been done?
Want to see what companies, big or small did to make sure these regulations were met, why not check out my Blog all about Reflecting on the actions of big companies such as Facebook, Amazon and what OFEC did for clients too.
Check out my BLOG
What can OFEC do?
From our Membership Management system to our Visitor Management Systems they are fully GDPR compliant, why not get in contact to see how we can help.