By Nani Jansen Reventlow & Jonathan McCully
You’ve probably heard a lot about it (or at least ignored it) in your inbox, but today’s the day! What day, you ask? Christmas? No! It’s GDPR day, of course.
The GDPR (full and wonderful title ‘General Data Protection Regulation’) came into force on May 25, 2018 and is one of the most significant overhauls of data protection rules in history. But what does it mean for our human rights and why should you care?
First up, what actually is the GDPR? Well, it governs when our personal data can be lawfully collected, stored and used by others. Personal data means “any information relating to an identified or identifiable natural person.” This includes your name, location data, IP address, photograph, job title, or political opinion.
Whilst it may not have the snappiest title, the GDPR matters. The recent Cambridge Analytica scandal brought into sharp focus how things can go wrong when our data is misused. So it’s important that our right to privacy under the Human Rights Convention and the more specific fundamental right to protection of our personal data (under the EU Charter of Fundamental Rights) can be upheld in practice.
This is where the GDPR comes in. It will protect these rights more fully by expanding on the old EU law on data protection and ensuring regulation is harmonised across the EU. It gives us significant empowerment over whether, how and when our data is used.
We’ll Have More Control Over Our Data
Under the GDPR, if organisations want to rely on our consent as their basis for processing our data, it must be “freely given, specific, informed, and unambiguous”, in the form of a statement or affirmative action.
This means consent cannot be implied from silence or a failure to opt-out (by, for example, unticking a box). We should, therefore, get greater control and awareness over how our data is being used.
This complements other rights protected under the GDPR, including the right to access, rectify, erase and object to the processing of our data, as well as the right not to be subject to automated decision making (including profiling).
Our Data Will Be More Secure
The GDPR introduces increased security requirements. It means those processing data must adopt “technical and organisational measures” for security purposes, such as pseudonymization and encryption. The new rules also require that data should only be used for the purpose for which it was collected – this means that companies cannot hang onto our data “just in case” they need it later.
And when the security of our data is breached, such as in the case of a ransomware attack, the relevant data protection authority must be notified straight away. Where the breach is likely to result in a “high risk” to fundamental rights, the individuals affected must also be informed.
This will increase transparency around security breaches, and stop businesses from keeping such incidents secret or being slow to disclose them.
It’s Easier To Enforce Our Rights
The GDPR significantly increases sanctions for non-compliance. Breaches of some provisions of the new rules can result in fines of up to €20 million or 4 percent of a business’ total worldwide turnover for the previous year.
It will also be easier for individuals like you and me to bring claims for breaches, including under a provision that allows individuals to authorise not-for-profits to take cases on their behalf. This means we could see class actions being brought to enforce our rights under the GDPR.
The increase in penalties, coupled with greater access to justice, should incentivise greater respect for data protection rights across Europe.
What’s more, the effects of the GDPR do not stop at Europe’s borders. For the first time, EU data protection law will apply to companies with no business establishment in the EU when they either monitor the behaviour of EU residents or offer goods or services to them. This means organisations based outside the EU (such as overseas social media platforms or website hosting providers offering their services to EU citizens) will face greater accountability.
The full implications of the GDPR are yet to become clear. But there is no doubting its potential for enhancing our right to privacy and our fundamental right to protection of our personal data. Here’s hoping it delivers on that potential.