The GDPR is rarely out of the news at the moment and many news stories, from Facebook and Cambridge Analytica to the alleged data breach at Independent News and Media, have a data protection aspect. Like the Millennium Bug preparations twenty years ago, organisations around much of the world are working feverishly to be ready for this new privacy law. A lot of the coverage therefore is aimed at businesses – but what does the GDPR mean for ordinary people?
What is the GDPR?
GDPR means “General Data Protection Regulation”, a European Union privacy law passed in 2016 which takes effect in all EU states on 25 May 2018. Data protection laws are rules that regulate the collection and use of “personal data”, essentially information about a living person. The GDPR reforms and updates data protection laws across Europe, like the Irish Data Protection Acts 1988 and 2003 which will be significantly changed by a Data Protection Bill currently before the Oireacthas.
What is changing?
Despite the impression sometimes given in news reports and commentary, data protection rules are not new and the GDPR is an evolution of those rules. A lot of what is in the GDPR has been the law for many years but the GDPR introduces some changes in how organisations can collect personal data about you, what information they have to give you and how they will have to get your agreement to use it. According to the Data Protection Commissioner:
The new law will give individuals greater control over their data by setting out additional and more clearly defined rights for individuals whose personal data is collected and processed by organisations. The GDPR also imposes corresponding and greatly increased obligations on organisations that collect this data.
The amount of personal information that will be covered by the GDPR is significant. Naturally, it will cover things like your name and contact details, date of birth, photographs, personal or health records and so on. It can also include things like “online identifiers” such as IP addresses (the numbered codes used by computers and other devices connected to the internet). The GDPR will also apply to a lot of organisations outside the EU if they collect or use personal data about EU citizens.
Probably the most significant change for organisations collecting and using personal data is that the consequences of mismanaging that data become much more severe under the GDPR. It introduces greater reporting obligations for data breaches than was the case to date and allows for fines to be imposed for breaches of the law (up to 4% of global turnover in some cases).
What does it mean for me?
If an organisation wants to collect or use personal data about you they must:
- not collect anything more than necessary for the purpose for which it will be used;
- obtain it from you fairly by giving you notice of the fact that your personal data is being collected and what it will be used for;
- not keep personal data any longer than necessary for the specified purpose;
- keep it safe and secure; and
- provide you with a copy of your personal data on request.
In addition, you have the right:
- to get details about how your personal data is processed;
- to have incorrect or incomplete personal data corrected;
- have personal data erased if there is no legitimate reason for keeping it;
- get your personal data from an organisation if you want to transfer it to another organisation;
- object to processing of personal data in certain circumstances; and
- not to be subject to automated decision making, like profiling.
Most of these rules are not new, but the increased enforcement rules mean that they are being taken more seriously. Many news stories and controversies in recent years have meant greater focus on the management of personal data, particularly important given the amount of personal data stored on computers and online.
You are likely to receive a lot of new terms and conditions and requests for consent from businesses you interact with. You may already have noticed a lot of mobile apps and websites highlighting information on their services about how they use your personal data. These changes are being introduced in anticipation of the GDPR. In the longer term there are likely to be more frequent examples of regulators like the Data Protection Commissioner taking action against organisations for breaching data protection rules and being sued by people affected by mismanagement of personal data.
Are there any other ways GDPR could affect me?
The reforms of the GDPR are likely to be far-reaching and will be felt for years, so it is quite likely that it could affect, and benefit, you in many ways.
If you work for someone else, your employer might introduce new rules and procedures for handling personal data in the business. This could include new elements to a disciplinary procedure whereby you could face disciplinary action if you are accused of being responsible for a data breach, for example, where a customer’s personal data is mishandled.
If you are involved in a voluntary organisation or charity like a sports club or voluntary association, that organisation should be preparing for the GDPR. The GDPR will apply to these clubs and societies, whether large or small. It is worth bearing in mind that a lot of sports clubs, for example, collect a lot of personal data about their members, many of whom are children. Some members, involved in training for example, will undergo Garda vetting which involves the disclosure of sensitive personal data. Many representative bodies for such organisations have already prepared guidance and materials for GDPR implementation. If you are involved in a club or society which has not yet thought about GDPR it should be raised immediately and you should urgently decide what work needs to be done.
Stand by for more
In the coming years there will certainly be more court cases involving data protection, as the GDPR increases the ability of individuals to take legal action where their rights have been infringed. A High Court decision in 2013 effectively halted a large number of potential claims for breaches of the Data Protection Acts, but the GPDR includes a clearer right for data subjects to claim compensation for breaches of it.
There is a lot of fear-mongering about the GDPR, with some suggesting it is too restrictive or will cause too many problems. However, the law is aimed at increasing our personal rights and protections – particularly important given the vast amounts of information now generated and used about us, and how such information now travels quickly around networks and the world.