Power to the people, right on, GDPR

John Lennon once sang power to the people and General Data Protection Law did just that for the masses. The data subjects and the data controllers are at the heart of the GDPR ecosystem. In our earlier articles, we dealt with the role of data controllers and in the previous article, we attempted to give some insight to the data subjects about what their rights are under the law and how can they exercise them. The big question, however, is whether they are exercising them. Did you know all the countries of the European Union have provided its citizens with voting rights? They have been given the right to choose their own government. However, on an average, a little over 60% of the people exercise this right. This makes us wonder if the people who the law has been made for are exercising their rights under the law.

A law giving more power to the citizens over the processing of their personal data is the need of the hour and therefore the lawmakers introduced GDPR in December 2016. As per a survey conducted by SAS, the data subjects have embraced GDPR with open arms. While in May 2017 only 48% of the data subjects were planning to exercise their rights under GDPR, the number increased to 56% by May 2018. However, after the Facebook–Cambridge Analytica data scandal, a large number of people voiced their concerns over data privacy and the percentage of people inclined to exercise their rights under GDPR increased many folds. Three-quarters of those aware of this news say they have either activated rights, plan to stop sharing as much information or are reviewing their rights because of it.

Even though a large number of people are inclined to exercise their rights under GDPR but in comparison to the amount of effort put in the enactment of the legislation the number seems low. The question that arises is why are data subjects not utilising the rights granted to them to their optimum potential. There can be a number of reasons for this starting with a lack of awareness. However, considering the buzz around GDPR for the past few years, unless you have been living under a rock, it is unlikely that you are not aware of the law. That leads us to the second assumption which is that the data subjects are not aware of the procedural nitty gritty. This issue can be resolved by spending some time getting acquainted with the law. However, if you are the kind who don’t have the time to grapple with the process or do not know where to start, do not get disheartened, technology will come to your rescue.

There are a number of softwares and security tools in the market that help the data controllers to be compliant with GDPR. In this article, we take a look at what might be a good tool for citizens to exercise their rights and derive the full benefit of the law. Assuming that the citizens are unable to exercise their rights because the procedure is too cumbersome, an ideal tool for them would be able to give them access to all the companies or organisations that might have their data at a click of a button. Further, considering that a common man does not want to get entangled in the complexity of a software or tool, the simpler the interface, the better.

Imagine you can download an app which requires you to enter the companies or organisations that you might have allowed to process your data and the app automatically classifies these entities under various heads, allowing you to access them at the click of a button; wouldn’t that simplify the experience? A good tool for such purposes could be one that is able to:

  • Classify the data controllers into various categories based on the information that a citizen provides it. It will create a list of telecom operators, banking institutions, shopping websites, etc. to whom you might have provided your personal data. This helps you keep track of all the companies or organisations that might be processing your data.
  • Once this list is in place, the software opens the floor for you to send a request to any company for the exercise of any of your rights. For example, you want to fix an error pertaining to your address in your bank’s records, you can easily select the bank from the “Banking Institutions” and shoot out rectification request, thereby exercising your right to rectification. Isn’t this easy? Now you don’t have to go through the tedious process of finding the details of the person who you should address the request to and then give details of the request. Two clicks and you are good to go.
  • The law gives a company 30 days to respond to your request and if it is unable to resolve the issue, it will have to provide you with a reason for the same within 30 days. This means, either way, the company has to respond to you within 30 days. Now, we understand that everybody is busy in this day and age and though they would want their problems resolved, one might forget to follow up about the request. A good software caters to this need too by keeping track of the time and opening a channel for communication with the company. As a result, if the company needs more details or is incurring a certain amount of cost while processing your request, it can inform you about the same and you can respond accordingly in a timely manner. This reduces the probability of the company raising an issue with your request at a later stage.
  • The software would further let you access the details of your data being processed by a company or organisation at the push of a button. You can easily get to know if a company has your postal address, your phone number, your bank details, etc. and request the company to delete the information that you do not want it to hold. This helps you get more control over the processing activities.
  • For ease of reference, the software would further classify all your data into various categories based on source, identifiability, purpose, third-party recipients, etc. You will get to know whether you provided certain information to the company or it inferred it, the reason for the processing, whether it has been shared with a third party, etc.
  • Considering the law allows a company to retain your data, subject to certain conditions, for legal purposes or in public interest, wouldn’t it be great if you were aware of any such retention? The software would let you know about any data being retained by a company and whether the company has taken due precautions like pseudonymisation to avoid the misuse of the same.
  • Lastly, it would score the various companies on the basis of the safeguards being taken by them to protect your data and be compliant with the law. This would enable you to choose wisely the companies that process your data. For instance, if a company gets a 4 out of 10 on the compliance score, you will know better than to let it process your data.

There is a famous Latin maxim, Vigilantibus Et Non Dormientibus Jura Subveniunt, which means that the law assists those that are vigilant with their rights and not those that sleep thereupon. As a data subject, if you want to reap the benefit of GDPR to the fullest, it is imperative that you exercise your rights in the best possible manner. Let us know if you think that an app or software as discussed above would help you exercise your rights better.