General Data Protection Regulation
The General Data Protection Regulation came into effect in May 2018. The regulation focuses on providing data protection and privacy for all individuals within the European Union and all individuals whose data is processed by an EU controller (regardless of their location). It also includes special protections for children’s data.
The EU General Data Protection Regulation defines ‘personal data’ as:
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in
particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
You have the right to:
- be informed about the collection and use of your personal data;
- object to the processing of your personal data for marketing purposes or on grounds relating to your particular situation;
- obtain access to a copy of your personal data;
- ask for incorrect, inaccurate or incomplete personal data to be corrected;
- request that personal data be erased when it’s no longer needed or if processing it is unlawful;
- receive your personal data in a machine-readable format and send it to another controller (‘data portability’);
- request the processing of your personal data is stopped.
These rights apply across the EU, regardless of where the data is processed and where the company is established. These rights also apply when you buy goods and services from non-EU companies operating in the EU.
You have a right to ask a company or organisation as to whether or not it holds any personal data which concerns you.
If they do have any personal data of yours, then you also have the right to access a copy it free of charge. You are also entitled to get any relevant additional information (such as their reason for processing your personal data, the categories of personal data used, etc.).
If you want to find out what a company or organisation knows about you, you need to make a Subject Access Request (SAR).
A SAR can be made to any person working at the desired company or organisation. A SAR can be done either verbally or in writing – this even means you could request your personal data through social media, although email is the most common format.
As well as the information that’s asked for, an organisation has to provide details of why it was processing the personal information, how the information is being used, and how long it is due to be kept for.
Children benefit special protection with regard to processing their data for marketing. This is because young users may be less aware of the risks, consequences and safeguards concerned with marketing.
The GDPR sets the age of consent at 16, but individual member states may lower this as far as 13. A child below the age of consent cannot provide consent for themselves. When consent is the lawful basis for processing a child’s data reasonable efforts to verify that the person giving consent is old enough to do so, are required. Online services must obtain consent from the holder of parental responsibility for the child.
Regulators have the ability to fine businesses who don’t correctly comply with the new General Data Protection Regulations.
For instance, if a company or organisation doesn’t process an individual’s data in the correct way, they can be fined. Similarly, if there’s a security breach, the company or organisation can be fined.