What the rules from EU mean and how they protect you
The GDPR, or General Data Protection Regulation, went into effect in May of 2018. The goal of the regulation is to provide data protection and increased privacy for individuals who are in the European Union and the European Economic Area. The laws refer to digital data, as well as paper data. Any company, regardless of the size or location, needs to pay close attention to the GDPR and know how it is going to affect their business.
What Are the Individual Rights
Individual rights are some of the essential elements of the GDPR, which you are going to want to understand whether you are living in Europe or you have a business located in the United States with some customers in the EU. Let’s look at each of these rights to get a better sense of what they mean.
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights about automated decision making and profiling
The Right to Be Informed
People have the right to be informed when there are any collection and use of their data, which is one of the transparency requirements of the GDPR. Companies are required to let people know why they need the data, how it is going to be used, how long the data will be preserved, and who will have access to the data. This information needs to be available to the individuals at the time the personal data is collected from them.
The Right of Access
An individual has a right to access their data. They can request to obtain their data verbally or in writing. When an individual makes this request, the company will have only one month to respond to the request of the individual. Also, in most cases, it is not possible to charge a fee to provide this request.
The Right to Rectification
The GDPR provides this right to individuals to ensure that their personal information and data is accurate and that they can correct and rectify it if it is not. The individual can make the request in writing or verbally to have the information corrected, and your company will have one month to respond to the application. The Data Protection Act 2018 states that “personal data is inaccurate if it is incorrect or misleading as to any matter of fact.”
The Right to Erasure
An individual has the right to have their data erased if they so choose. This is called the right to be forgotten, and as before, it is possible to make the request for erasure in writing or verbally. The company will again have one month to respond.
It is important to remember that this right is not absolute, and it will not apply to all circumstances. For example, a criminal does not have the right to make law enforcement erase and forget their personal information.
The Right to Restrict Processing
An individual now has the right to request restriction or suppression of their data. This means that a company might be able to store the personal data, but they are not allowed to use it. The individual can make the request in writing or verbally, and the company has one month to respond. Like the right to erasure, this is not an absolute right, and it will only apply in certain circumstances.
The Right to Data Portability
This will allow people to obtain and reuse their data for their purposes across various services, and not just your company. They have the right to move their data, or copy or transfer it, from one IT environment to another safely and securely. This information still needs to be useable after the transfer.
The idea behind this right is to make it easier for consumers to find other services or companies that can use the data and that might be able to serve them better.
The Right to Object
Individuals will have the right to object to the way in which their data is being used in certain circumstances. For example, they have the right to stop their data being used for direct marketing. Companies are required to tell people about their right to object. The individuals, as before, can make their request in writing or verbally. Companies will have one month to respond to the objection.
Rights about Automated Decision Making and Profiling
There are GDPR provisions for automated individual decision making, which is when a decision on data is made by automated means without any involvement from humans, and for profiling when personal data is used to evaluate an individual and to try to learn things about them. There are only certain instances where this is allowed, and they can be confusing and seemingly contradictory based on various factors.
When trying to comply with the GDPR and the rights of the individuals, it is often a good idea to work with someone who can make sure that your company is following the laws and complying with the changes that have taken place with the new regulations.
Why Are These Rights So Important?
There are some companies out there who were not overly happy about the new regulations and the amount of time and money they would have to spend to make sure that they were complying.
However, these changes are important. There have not been any updates since 1995, and over the 23 years that have passed since then, technology has changed and advanced. Today, it is far more dangerous to have your data online, so having provisions in place that can help to provide some additional protection is a good idea. It helps to reduce the risk for the customers, and it provides the individuals with more control over their data.