Most EU citizens will have heard about GDPR in some respect, be it in the form of news reports or emails from subscription services. However, despite the press coverage, relatively few will have any idea of what GDPR is. Also known as the General Data Protection Regulation, GDPR came into effect on the 25th of May 2018 after a two-year grace period. After this date, the EU required that all companies handling EU citizen’s data must comply with the new data regulations.
GDPR was established to address new concerns on how private personal data was being handled. It defines “personal data” as anything that contains “personally identifiable information”, meaning it can be used to track specific individuals. This can include a wide variety of information, from names to passport numbers. All of this data has value as if it is breached it could leave the person to whom it pertains vulnerable to fraud. There are other types of personal data that are considered more sensitive than the usual identifiers, such as religious beliefs or sexuality. As these are at the discretion of the individual to disclose, it is also important that they remain private.
GDPR applies to all organizations within the EU alongside any organizations based outside the union if they handle the data of EU citizens. This safeguards the rights of EU citizens regardless of where their data is being handled or processed. It is likely that the UK will adopt privacy laws similar in framework to GDPR after it leaves the EU.
Regrettably, cyber attacks are on the rise globally. This threatens information privacy as advanced cybercriminals are able to access data and use it for nefarious means, from creating fake identities to making false insurance claims. However, GDPR lays out Eight Common Privacy Principles that all organizations that handle EU citizens’ data must enact to be GDPR-compliant. The Privacy Principles are as follows: notification, lawfulness, limits, security, accountability, downstream protection, access rights, and breach notification. Each of these principles put the safety of the data subject to the fore.
GDPR is considered one of the most robust data privacy laws in the world, and it is highly recommended that all organizations affected by the new regulations train their employees. Importantly, it puts emphasis on the rights of the data subject to question how their data is being collected, what it is being used for and also gives them “the right to be forgotten”. This means that data subjects have the right to opt-out measures such as directed advertising, where their personal data would be used to show them advertisements directed towards their interests. They may also set a time limit, before which their data cannot be processed but after which it can be used for a pre-specified purpose.
There are, however, some exceptions where these rights do not apply. If an individual’s data is needed for defense purposes, to prevent crime, to prosecute a crime or for issues of public health, an individual’s private data may not be treated as such. In all other cases, however, everything possible should be done to protect privacy.