The GDPR, General Data Protection Regulation, went into effect on May 25, 2018. Anyone with any sort of online presence saw at least a mild impact from the regulation. This came in the form of a filled inbox, made up of announcements of changed privacy policies. For some, the only awareness of GDPR was its ability to clog up your inbox and waste your time. In reality, the regulation will affect you in more ways than just those emails you received months ago.
It Affects Those Outside of the EU as Well
One important thing to keep in mind is that legally, GDPR only applies to the European Union. In other words, if you don’t live in the EU, companies need not follow the GDPR in regard to your data. That being said, most companies decided it was simpler to make a worldwide adjustment to their policies. This is opposed to having separate policies for different regions. This is partly because the GDPR applies to companies that operate in the EU, even if they also operate elsewhere.
Overall, even if you are not in the EU, companies are likely to follow the GDPR regulations regarding your data. This is despite it not being legally required.
When reading about how GDPR specifically impacts you, keep this distinction in mind. Therefore, those in the EU will notice the greatest impact from the GDPR while those outside the EU will notice a smaller effect on their lives. This change may still be substantial outside the EU.
People Have More Power
One of the most important factors behind the GDPR is that individuals have more power. For example, people can take advantage of GDPR to decide to withhold consent for particular data uses. On an individual scale, this means you do not have to worry about companies collecting and using your data without consent. You do not need to wonder what information they have or how they will use it; you can access that data. Plus, you can even request your information be deleted from specific sites.
While this is key on an individual level, the impact becomes more obvious on a larger scale. If the majority of people take the above steps, the data industry would need to change. They would need to come up with new policies and incentives to collect data.
You Have Explicit Rights
The GDPR outlines your specific rights regarding controlling and accessing your data. Some of these are clarifications of previously existing rights. Others are completely new with GDPR.
To start, you have the right to be informed. In other words, organizations need to tell you the data they collect, how they use it, how long they will store it for, and if they share it, with whom. You additionally have the explicit right of access. You can ask an organization to give you the data that they have on you. That information should include all the elements outlined in the right to be informed.
You additionally have the right to rectification. In other words, to ensure that inaccurate information is corrected. The right to erasure means that you can demand that a company deletes the information they hold on you. Just keep in mind that there are certain situations where an organization can refuse this.
Under GDPR, you have the right to deny organizations consent to process your data. This applies even if you have previously given consent. As with the right to erasure, there are situations where it can be refused. You also have the right to portability, meaning you can extract the data on you from one organization to use it somewhere else. The idea is to promote competition. There is also the right to object, meaning that organizations must stop using your personal data in ways you do not want, such as nuisance phone calls.
There are also a set of rights under GDPR related to automated profiling and decision making. This lets you object or appeal against an automated decision affecting you. It is particularly relevant in situations with serious consequences.
You Can Worry Less about Data Breaches
Thanks to some of the policies within the GDPR, the average person should have slightly lower concerns about data breaches. First of all, the GDPR regulation requires companies to notify users of any data breach. There is no more chance of hiding a breach, without paying a hefty fine.
Speaking of fines, the Data Protection Authorities have more power on this front with the GDPR. This comes from the ability to deliver penalties for those personal data breaches. Small infringements can lead to a fine of as much as 2 percent of the global annual turnover for a company. These would include something such as not notifying about a breach. More serious issues could include not having enough consent from customers to process data. In this case, the fine could be up to €20 million or 4 percent of the annual global turnover, whichever amount is greater.
To put those fines in perspective, prior to GDPR, the UK’s maximum penalty was £500,000, although it had only ever reached £400,000. The greater penalties under the GDPR encourage companies to make data security and compliant use a strong priority. This, in turn, gives individuals greater peace of mind.
Your Personal Data Includes More Information
Information considered personal data is also extended with GDPR. Now it also explicitly includes online identifiers. Examples include your mobile device identity and IP address. Since these things are part of your personal data, companies must now ask for permission to collect that information.
You Can Better Understand Consent and Policies
When it comes to data, GDPR also makes it simpler for individuals to understand the policies of companies and whether or not they have given consent. You will no longer need to guess if you accidentally gave a website or company consent to collect and use your information. Unless they explicitly asked you for permission, you did not give consent.
Similarly, the GDPR limits the ability of companies to use terms and conditions designed to confuse. They can no longer be excessively long or illegible without a reason.