Play all audios:
The General Data Protection Regulation is a European Union privacy law that comes into effect on May 25, 2018. It has been years in the making, and is to replace the last major piece of EU
privacy law which dates from 1995: a time when Geocities was popular, before Facebook, before Myspace, before even Google. A lot has changed in how the internet is used for business and the
role data and data-sharing has in our lives, so it’s about time the law was updated. GDPR updates privacy law to account for more recent technical developments and how we use them. It
increases restrictions on what organisations can do with your data, and it extends the rights of individuals to access and control data about them. This is a good thing. It also extends in
some cases these restrictions and safeguards on what can and cannot be done with your personal data to organisations based outside the European Union if they handle data collected within it.
Somewhat controversial, this is also a good thing. The links below are from the UK Information Commissioner’s Office. You can find links to data protection agencies for other EU member
states here. KEY ELEMENTS OF THE GDPR The GDPR requires organisations handling personal data to do so according to its six data processing principles, namely that: > a) it is processed
fairly, lawfully and transparently > > b) it is collected and processed for specific reasons and stored for > specific periods of time, and that it is not used for reasons beyond
> its original purpose > > c) only the data necessary for the purpose it is intended is > collected, and not more > > d) it is accurate and that reasonable steps are
taken to ensure it > remains accurate > > e) it is kept in a form that allows individuals to be identified > only as long as is necessary > > f) it is kept securely and
protected from unlawful access, > accidental loss or damage From these principles, GDPR requires organisations collecting, using and storing personal data to define a lawful basis that
the organisation will use to explain its use of personal data. These are, for example, that they have the individual’s consent, or that they need to do so in order to provide a product or
service the individual has asked for, or that they are legally obliged to do. Every bit of personal data held by an organisation must be justified according to one of the six lawful bases.
This is why you have probably been receiving many emails from organisations asking you to confirm that you wish to continue to receive their emails – they are seeking your consent as a
lawful basis for using your data. YOUR PRIVACY RIGHTS The GDPR also defines the rights that individuals have to access and control their data: 1. The right to be informed When they are
collecting data from you, organisations must properly inform you what data they are collecting, what they are using for, how long they are keeping it and which organisations it is being
shared with. 2. The right of access You have the right to contact an organisation and ask them to provide the data they hold on you. This includes the data they hold, why they hold it, and
what they are doing with it, including which organisations it is shared with. 3. The right to rectification You have the right to ensure that information about you is correct, and to ensure
that information is corrected if found to be inaccurate. 4. The right to erasure Also known as the “right to be forgotten”, this means you have the right to demand that information a company
holds about you is deleted, in part or entirely. This is not an absolute right, and in some circumstances this request can be refused. 5. The right to restrict processing You have the right
to deny consent for an organisation to process your data, even if you have given consent for it to do so in the past. This right also is not absolute and can in some circumstances be
refused. But an organisation must be able to show you what it is doing with your data so you can decide to restrict processing if you wish. 6. The right to data portability This right gives
you the opportunity to take the data an organisation holds on you and extract it for use elsewhere. A good example are the features that Facebook or Google offers that allow you to download
the profile information accumulated on the service. This is to promote competition, so that users are not forcibly tied to an uncompetitive service due to the weight of accumulated data. 7.
The right to object This allows you to demand that organisations stop using your data in ways you object to. For example, sending direct marketing, or making nuisance commercial phone calls.
8. Rights in relation to automated decision making and profiling Finally, with the growth in profiling and the use of data to make automated, from targeted advertising or content to credit
decisions or job applications, this provides individuals with the right to object to or appeal against automated decisions that affect them. This is particularly the case where decisions
have serious legal consequences or similar. All such processing requires the explicit, informed consent of the individual. ------------------------- Taken together, these principles and
rights make the GDPR the world’s most powerful and far-reaching privacy law. Because so much business is now very international, the effect will be that companies outside the EU will conform
to GDPR privacy standards in order to access European markets of 500m wealthy consumers. Following years of data breaches and hacks and scandals about government and corporate intrusion
into our private lives, if the GDPR improves the strength of privacy rights across the world, well, this is definitely a good thing. You can read The Conversation’s privacy policy. For
questions, queries and requests, email [email protected]