Six years in the making, the EU General Data Protection Regulation (GDPR) is set to take effect on 25th May 2018. It will replace the EU’s 1995 Data Protection Directive and begin a new chapter in internet related privacy and reputation management. Since the GDPR was passed in 2016, the following two year transition period has allowed companies time to update their policies and prepare for compliance.
With implementation now in process, what changes will the GDPR bring for EU citizens?
A New Approach to Personal Data
The GDPR aims to ‘empower’ individuals by giving them more control over their personal data. The law recognises personal privacy and data as almost anything specifically related to you: name and address, social media posts, photos, shopping preferences, and of course sensitive information like bank account numbers and medical records.
You, the individual, are defined as the ‘Data Subject’, while companies that handle your information are ‘Data Controllers’ or ‘Data Processors’. The controller designs the ‘purpose, conditions and means’ surrounding data collection while the processor (predictably) processes the data. Under the GDPR, both controllers and processors are subject to new rules and penalties, while individuals - ‘Data Subjects’ - have increased rights and protections.
These are some of the changes that can help individuals safeguard their online reputation:
- Clearly Written Consent Requests – Under the GDPR, controllers need the individual’s consent to collect personal data. This isn’t new, but in the past nothing prevented companies from burying a consent request in a long, misleading policy. The GDPR requires consent forms to be ‘accessible’, ‘clearly distinguishable from other matters’ and written in ‘plain language’. Data subjects must also be able to easily withdraw consent once it is given.
- Right to Access Free of Charge – Controllers must provide individuals with an electronic copy of their personal data upon request, free of charge. In the past, this information was available but often came with a fee. Controllers must also be transparent about what types of personal data are being collected and how this information is used and/or shared with third parties.
- Individuals Decide What Happens to Their Data – Data subjects have the right to halt further ‘collection’ and ‘dissemination’ of their data once they have withdrawn consent, or once the purpose for which the data was collected is no longer relevant. They can also request that their data be deleted, commonly known as ‘the right to be forgotten’. In some instances this right can be subject to some limitations, as is already the case in the EU if there is overwhelming ‘public interest in the availability of the data’. The GDPR also introduces the right to ‘data portability’, meaning individuals can chose to transmit an electronic copy of their data received upon request to another controller.
- Data Breaches – In the event of a data breach, individuals at risk of being affected must be notified within 72 hours of the controller becoming aware of the problem. Processors also have an obligation to inform controllers as soon as possible once the threat is detected.
- Redrawing Geographical Boundaries – Previous data protection policies have focused primarily on where a company or another type of data controller was located. The GDPR extends jurisdiction to include any organisation holding or processing personal data for EU citizens, regardless of where it is headquartered or physically located.
Will UK Citizens Be Covered after Brexit?
In the short term, British companies must prepare to comply with the GDPR from the 25th May 2018, and UK citizens remain fully covered under its protections. The UK government is expected to pass similar legislation following its exit from the EU, especially as British organisations were heavily involved in the drafting process; however, some changes could still apply. Companies holding international data will need to comply with GDPR standards for EU citizens. On the other hand, organisations whose clients are limited to British citizens could theoretically alter their policies under a new legislation.
For further questions regarding the GDPR or your privacy online, contact our privacy experts at ReputationDefenfer on 0800 131 0700
Download our Privacy guide