Sunday, October 18, 2020

How the General Data Protection Regulation (GDPR) Aims to Protect Your Personal Data

by guest writer Jack Filiba

We are in the midst of some of the largest changes to online data collection and consumer rights in the history of the Internet. One such change arrived in the form of the General Data Protection Regulation (GDPR). Enacted by the European Union, this nascent regulation impacts your digital rights and affordances — even if you live outside of the EU.

In honor of National Cybersecurity Awareness Month (NCSAM), we’ve decided to break down how this regulation impacts everyday users.

The GDPR is largely the result of growing concerns among regulators, who criticize the ways in which businesses exploit personal data belonging to their users and fail to keep sensitive information secure. To name a few motivators for such policy, look no further than recent scandals such as Facebook’s run in with Cambridge Analytica and data breaches such as the one Equifax experienced in 2017. Not only did these incidents expose sensitive information belonging to 87~ and 147~ million consumers respectively, they also exposed how vulnerable everyday users are in the contemporary digital landscape.

Only three in ten Europeans have heard of all their new data rights.

Andrus Ansip,
former VP,
EU Digital Single Market
Yet, while many recognise that the ubiquitous sale and collection of data raises ethical concerns and creates risk, the public largely remains unaware of how acts like the GDPR actually intend to safeguard their information. The EU Digital Single Market’s former vice president, Andrus Ansip, said last year that “only three in ten Europeans have heard of all their new data rights.”

Critics of the GDPR identify this lack of public awareness as one of the act’s shortcomings. After all, if consumers are unaware of their rights, businesses may experience less pressure to comply.

Despite coming into effect back in May 2018, many still incorrectly assume that the GDPR is only relevant to their online activity if they are physically located within one of the EU’s member states. On the contrary, the Internet is unfazed by borders. Companies around the world who wish to continue serving their users in the EU have had to adapt to the Union’s legislation. In turn, this fundamentally restructured how they interact with online audiences on a global level. Or, to put it in legalese:
“This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”
-GDPR Article 3 “Territorial scope”
As indicated in Article 3 of the GDPR, businesses outside of the EU have to comply in order to continue serving their EU customers. As such, this policy has had a ripple effect on consumer rights. Regardless of if you’re located in Portugal or Portland, you may still be entitled to certain online protections as a result of the GDPR. It is worth noting, however, that some U.S. states have implemented similar regulation of their own. Your rights under the California Consumer Privacy Act (CCPA) will be explored in our next article.

At its core, the GDPR aims to achieve three outlined objectives: establish rules for the processing of personal data and its movement, protect the fundamental rights of individuals, and permit the free movement of personal data within the EU. Notably, it draws upon the idea that data protection is a fundamental right.

So what does this all mean for you?

Broadly speaking, the GDPR affords you eight essential rights and protections when it comes to your personal data. As previously mentioned, recent findings showed that even in the EU, the majority of consumers are not aware of all of the new rights introduced by this regulation.

1. The “right of access by the data subject”

The right of access means that you can formally ask businesses if they are processing your personal data. If so, you can enquire about why your information is being processed, the type of data collected, who your information will be shared with, how long it will be stored (where possible), the source of the information, and a few other key pieces of information designed to inform you about how your personal information is being used.

2. The “right to rectification”

This article in the GDPR grants you the ability to rectify your personal data when it is incomplete or incorrect.

3. The “right to erasure” aka. the “right to be forgotten”

Under the GDPR, users have the right to request that businesses erase their personal information. For instance, when you decide to opt-out of a service. Yet, there are many limitations to this request. If you’d like to know more, these limitations are outlined in Article 13.

4. The “right to restriction of processing”

The GDPR further states that individuals have the right to request the restriction of their personal data. Here, businesses can still store your information but are not allowed to process it. As with the previous right, there are many limitations to your ability to restrict processing. These limitations can be found in Article 18.

5. The “right to be informed”

This phrase is used to refer to the range of information that needs to be provided to users in regards to their data. Perhaps most importantly, it mandates that businesses must inform you of how, and why, your data is being collected.

If you have come across a GDPR notice online which informs you why your information is being collected, you have seen this right in action.

6. The “right to data portability”

Where feasible, this right allows you to obtain and reuse your personal data across different services.

7. The “right to object”

Similar in many ways to your right to be forgotten, the right to object allows you to object to the processing of your personal information when certain criteria are met (as outlined in Article 12). For instance, the GDPR affords you the ability to object when your information is being processed for direct marketing purposes.

8. “Automated individual decision-making, including profiling”

Finally, the GDPR also grants you the ability to object in situations where decisions are made solely on the basis of automatic processing and/or profiling. It allows you to override important decisions made automatically in favor of manual consideration and human involvement. For instance, in cases where your specific situation is not appreciated by an automatic, non-human process.

When businesses do not comply with the mandates outlined by the GDPR, they face economic penalties. If you identify or experience a business failing to uphold your digital rights, you can lodge a complaint with the relevant Data Protection Authority of an EU member nation.

Knowing your rights will help you navigate a version of the Internet that is, at least partially, less prone to the exploitation of consumers' personal data. While the nascent realm of digital regulation still has a long way to go when it comes to safeguarding everyday users, learning about the protections offered to you by the GDPR can help you make informed choices online when it comes to the data you share and the services you interact with.

Jack Filiba is a journalist specializing in coverage of digital and financial technologies, as well as new and emerging media formats. Get in touch with him via JaFiliba[at] or follow him on Twitter.

Further Reading & Resources
Why Your Data Matters
Read the GDPR

"GDPR and the End of the Internet’s Grand Bargain"

"Europe’s Privacy Law Hasn't Shown Its Teeth, Frustrating Advocates"
"If You Don't Care About Online Privacy, You Should Read This"

"Your Data Matters"

"We Need to Own Our Data as a Human Right—and Be Compensated for It"

"We Don’t Want to Sell Our Data, We Want Data Rights!"
More Privacy Resources
More from DreamClassier

Cybersecurity & Infrastructure Security Agency (US)
Yearly Password Reminder & Survey

A Correction from Last Year

Next Week, the CCPA