We’ve heard a lot about how companies can prepare themselves for the arrival of GDPR, but what does it mean to the person on the street?
‘Remember, remember the 25th of May’ might not exactly be as musical as the famous Guy Fawkes rhyme, but it is certainly one you don’t want to forget as it marks the date when the EU’s General Data Protection Regulation (GDPR) becomes enforceable.
This means that any company not complying with the regulations could be met with severe legal punishments and massive fines that would threaten the existence of any SME.
What are people entitled to?
Simply put, an EU citizen is entitled to contact an entity – whether it is a private company or a public body – and ask for a copy of the full list of the data it has on them, be that digital or physical files.
All that’s required from you is to send a request to the body or company you wish to obtain the data from, detailing that it is a legal requirement under GDPR, and provide as much information as possible to help them track down that data.
As was the purpose of GDPR when it was drafted, this gives you much greater power over your data in order for you to make sure that it is factually correct, only available to those who should have it and is being used only for stated purposes.
Under the law, you have a number of rights guaranteed, including:
- Know how your data is being processed by an organisation or business
- Obtain copies of your personal data
- Have any incomplete or incorrect data fixed
- Have any data held erased upon request (if there’s no legitimate reason to hold on to it)
- Transfer data to another organisation
- Object to the processing of data in certain circumstances
- Not to be subjected to automated decision-making
Are we aware of our rights?
A quick search of the internet will tell you that the conversation has been dominated by legal firms and security experts telling these businesses what they need to be ready for GDPR, to the point that you would think it only involves them.
The only problem is that it doesn’t, and millions of EU citizens will soon have more control over their online activities and personal data than has ever been possible before.
According to a survey conducted last year in Ireland, a big majority (77pc) of 1,000 Irish adults polled intend to activate their new rights over personal data once GDPR comes into force.
William Fry partner Leo Moore spoke to Siliconrepublic.com about the regulation, noting how few articles he has seen generally on what the public actually has access to once it becomes mandatory in May.
However, that is not to say that the general public has not been made aware of, or are ignorant about, their rights, with Moore overhearing people talking about it on more than one occasion, including a group of people sitting around casually for drinks in a hotel.
“Yes, more could be done,” he said, “but I’m not sure how much people are interested in what these new rights are until they actually need to and want to exercise their rights.
“Some people will have a greater interest than others. It’s difficult to know if we’ve been doing enough or whether or not people just aren’t that interested yet, despite early examples showing that there is some interest in it.”
To the credit of the Office of the Data Protection Commissioner (ODPC), a campaign has started in recent days, guiding people towards its dedicated GDPR website, providing information on citizens’ rights.
How do you ask for your data?
On the surface, not a lot will change when compared with what exists under current regulation, as you need to write a letter or email to the ODPC detailing what information you want copies of.
Under GDPR, however, this is expanded as a given right with companies as well. In most cases, it does not require a fee, but it does give companies a bit more control to charge in instances where the request could be deemed more repetitive or larger in scale than the norm.
Already, tech-savvy companies are moving to simplify the process even more, as seen with Facebook, which is testing ways to ask users about whether or not they want to use facial recognition technology.
Eventually, Moore added, it could become as simple as suddenly deciding you want to get a copy of all your data from a company and sending a text message request.
“Technology will have a greater part to play, for sure,” he said. “It’s encouraged within GDPR and certainly in data protection circles to use technology to a greater end to facilitate individuals exercising their rights.”
Do we all want to be forgotten?
One of GDPR’s key tenets, familiar to many already, is the ‘right to be forgotten’. Since a famous court decision in 2014, it is now possible to submit a request to Google that particular links or information appearing under search results be deleted.
So far, hundreds of thousands of requests have been submitted to the company, giving an indication of how much of a task is at hand for those organisations who will now have to process such requests.
Or at least, that would appear to be the case. For Moore, it is unlikely that the number of people asking for ‘right to be forgotten’ requests will match the number just looking to see their data.
“There is an attempt to have a balance of interests [between the data subject and organisations] that needs to be brought into play,” he said.
“It’s nice to have it in there in the legislation, but it’s unlike the access requests or the right to object. They’re almost without caveat in many instances. You simply ask for certain data processing to stop, or ask for access to information.”
By the time 25 May rolls around, Moore does envisage an inevitable spike in requests – particularly in a legal context as, while previously under Irish law you could only sue for financial or material loss, GDPR allows for non-material loss also.
Get ready, data protection officers – EU citizens appear to be more ready for GDPR than you might think.