Online privacy has always been a hot topic. With the digitalisation of our lives, we have all become netizens. We leave our footprints digitally everywhere. From social media to banks, retailers and governments, almost every online service we use involves the collection and analysis of data. Your name, address, password and other confidential data is collected, analysed and, most importantly, stored by organisations.
Do you know who has what data?
It is so easy to give your name and email address to receive a free sample at an event that we often forget who has our data – and what data do they have. To better protect its citizens and give them more control on their personal data, the European Union has set new rules, gathered under the name of General Data Protection Regulation (GDPR), which takes effect today, 25 May 2018. Under the GDPR, organisations have to pay closer attention to the way personal data is collected and EU citizens have the right to be informed about how their data is collected and used.
GDPR is a hurdle for every organisation, public or private. The name, date of birth and address of employees, to name a few, all constitute personal data! At ING we have been working for months to put in place all the necessary processes and systems to make sure we’re in line with the regulation. Your employer is probably doing the same.
But what does it change for you as individual?
A priori nothing special in your daily (digital) life. You probably have received in your mailbox messages from organisations asking you to confirm, by clicking on a button, that they can continue to use your personal data for sending you their newsletters or any services needing your email details (consent).
Besides the right to receive clear and understandable information about who is processing your data, what data they are processing and why they are processing it, the GDPR makes it easier for you to have your data rectified, restricted or erased. You have, among others:
- the right to object, with which you can contest the processing of your personal data, in which case the organisation must stop unless it can demonstrate compelling legitimate interests for the processing;
- the right to rectification which applies when your personal data an organisation holds is inaccurate or incomplete. You are entitled to contact the organisation and request that your personal data is updated;
- the right to erasure also known as the right to be forgotten. You can request that an organisation deletes or anonymises the data it holds on you if there is no legitimate reason to keep said data;
- the right to restrict processing. When processing is restricted, organisations can keep hold of your personal data, but they can no longer process it. You may exercise this right under certain circumstances (you believe that your data is inaccurate, you object to the processing on the grounds of legitimate interest or the performance of a public task, the processing is unlawful, etc.).
Of course, as with any law, there are exceptions and certain limitations, but you get the point: the purpose of GDPR is to give you more control over your own data.
Under the right to be informed, if your data is lost or stolen the organisation has to inform you and the relevant data protection supervisory authority – in Luxembourg, the National Commission for Data Protection (CNPD) – without undue delay. If the organisation does not do this, it can be fined.
So, if the GDPR brings important changes to the ways data is stored and processed by businesses, it gives you, as EU consumers and citizens, new rights on your personal data, strengthens the existing ones and, in a way, improves your customer experience and your digital trust in the brands, companies and organisations with which you are in contact.