The General Data Protection Regulation (GDPR) enters into force today. It is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA. The GDPR is quite far ranging. Here are some interesting examples of what it covers. You can take the online test that the BBC prepared (which the material below is derived from) here. You will notice that location data is included in the personal data covered by the legislation. Surprising to me is that it covers AI (artificial intelligence) when it is applied to an application.
- GDPR is designed to help people protect and control use of their "personal data". What does that cover?
The UK’s Information Commissioner’s Office defines personal data as: "Information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier." It says this includes "name, identification number, location data or online identifier". Under some circumstances, this can extend to images, and details about your family. Unconnected facts - such as the distance from the Earth to the Moon - would not become personal data just on your say-so.
- A free app that relies on adverts to make money has gathered information about you. Under what circumstances can you forbid it to use the data?
Organizations have six lawful bases for processing personal data: Consent, contract, legal obligation, vital interests, public task or legitimate interest. But whatever the legal basis, you always have the right to object to the continued processing of your personal data if it's for the purposes of direct marketing. If you willingly and explicitly consented to your personal data being used for ads in the past, then apps and others can continue to do so.
- An online chat service wants access to your location and email contacts and is relying on user consent as the legal basis for this.
GDPR says consent means individuals must have real choice and control. So, they need to have a "clear and concise" explanation as to what they are agreeing to, and pre-ticked boxes and other forms of default consent no longer apply.
- Over time you have grown to dislike being part of a social network and decide to quit.
GDPR introduces a right for individuals to demand their personal data be erased under some circumstances. These include situations when its use has been based on their consent. Organizations must respond within a month of receiving the request and should comply without charging a fee unless the request is deemed "manifestly unfounded or excessive".
- You are unconscious after a car crash and require surgery. Can your GP provide your personal medical records to the nearest hospital ?
One basis for processing and sharing an individual’s personal data is that it is necessary to protect their vital interests, which includes saving their life. So, sharing data with a hospital's A&E department for an emergency would count.
- A video streaming service emailed you all the personal data it held about you last week, as requested, but you decide to ask again.
GDPR gives individuals a right to access the personal data held on them under some circumstances. Organizations are encouraged to make this possible via the internet, and are supposed to respond within a month. However, if a user subsequently asks to be sent further copies of their data, then the service involved can charge a "reasonable fee" based on its administrative costs.
- You lose your wallet. Inside is a scrap of paper on which you had written down your work login and current password. Your IT department confirms that an unidentified party entered your account, giving them access to a file containing the names and addresses of 12 police informants involved in a project you are working on.
GDPR introduces a duty to report certain types of data breaches within 72 hours of them being detected, even if all the details are not yet known. If individuals are also put at significant risk, they must also be informed. Failure to comply can entail a fine of up to $23.6 million or 4% of the annual global turnover.
- Your application to work at a restaurant is turned down, and you are told it was rejected by the firm's artificial intelligence system.
GDPR gives an individual the right to challenge decisions made solely on the automated analysis of their personal data if they did not consent to it in advance. Those affected can ask for access to the details on which the decision was based. They also have the right to have a human double-check that a mistake was not made.
- You decide to quit membership of a gym chain to join a rival. You ask for your data in a common machine readable format.
GDPR includes the right to obtain and reuse personal data from one service to another. It applies when the lawful basis for processing the information is consent or contract, and the processing is carried out by automated means (ie not paper files). The data must be provided in a commonly used and machine-readable format.
Subscribe
Comments