If you’re like many people, you fill out forms with personal details like your name, address, birth date and occupation every other day – whether online shopping, registering with a new GP, buying travel or entertainment tickets, or applying for credit with your bank.
Have you ever wondered what happens to all this data? More data on individual people is created, collected, stored, distributed and analysed, with a range of technologies and across international borders, than ever before.
A new EU law
Individuals, companies and governments all worry about what this means. Careless data handling can cause problems for both individuals and the organisations that serve them. As a result, the EU General Data Protection Regulation (GDPR) was devised. It is about improving and harmonising data protection across Europe. As this article explains, the regulation was approved in April 2016, following some four years of discussion and debate.
Some other countries, including Canada, are developing similar laws.
What’s it all about?
The GDPR replaces the older Data Protection Directive 95/46/EC, and applies to all member states from 25 May 2018. If you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR. Organisations in other countries will need to comply with the GDPR when trading with the EU.
EU organisations processing personal data must have “clear and affirmative consent” from those individuals, who also have the right to know where, why and how their data is being used, and they can move their data to a different service provider too.
Organisations deemed to be involved with controlling or processing data must report any data breaches that might affect individuals who live in the EU to the appropriate authority within 72 hours.
Data protection failures
A data breach is when personal, sensitive or confidential information stored as data on computer systems is leaked, transmitted, copied, viewed, stolen or used by unauthorised people. Data breaches have increasingly been reported within all kinds of organisations, including large corporations and government departments.
Privacy fears came to a head in 2013 when the then US National Security Agency (NSA) analyst Edward Snowden leaked thousands of NSA documents to the international news media. These US government documents included a vast amount of surveillance data on individuals.
One way to make communications more private is to encrypt personal data by default, so that no one can read it without authorisation and access to a secure encryption key.
The GDPR also says that privacy policies – for example on company websites – must be clear and easy to understand. EU citizens will now have the right to know when their data has been hacked, lost or stolen. On top of that, the “right to be forgotten” means they can have their data deleted, from a website or a company’s database, for instance.
Organisations which fall foul of the new law can expect to be fined up to €20 million or four percent of their global annual revenue, whichever is higher.
And there’s a behavioural aspect …
Modern communications technology can be very engaging – websites, for example, are typically designed in ways that take advantage of the way we usually see the world. This can be a good thing – but it also means that people find it easy to spend money or give up personal data online when they shouldn’t.
For example, phishing is a common type of internet scam where criminals devise tempting “social engineering” emails that get people to part with their personal data or their money.
With the GDPR, people may be able to protect themselves better, for example by ensuring fewer people have access to their details. If data can be removed, it cannot be misused.
A force for good
The GDPR is aimed at giving the average person more control in a world where people’s details are increasingly stored in computer systems. It can be seen as a step towards making technology more focused on the user, as this article explains more fully, balancing that against the needs of commercial entities and governments that collect data in a bid to improve their products and services.