So You Think You Know Your GDPR?
So the term is bandied about a lot, but how well do we all know what GDPR (General Data Protection Regulation) actually entails? Do you have a broader understanding than simply “my data can’t be misused”? Well I hope to explain some of the more interesting points of the legislation!
As a short note, the laws concerning GDPR use the term ‘controller’ to refer to the companies, businesses, etc. who have collected data from their users. Just for ease of reading, I’ll use the same term.
Right to Erasure (right to be forgotten)
With GDPR in place you can request that your personal data is erased by the controller, who must comply. Now this isn’t simply done on a whim, but based on one of a few different grounds within the law. Now you could probably use any of these grounds to justify erasure, but there were a couple of them I found more interesting than others.
For example if your personal data are no longer necessary in relation to whatever they were collected for, this gives you grounds for erasure. Finding out that this is the case however, I feel that might be a little more difficult to find out. Possibly a much more worrying reason to request erasure is if unlawful methods were used in processing your data. In this case I would hope that such a case would be made public.
However, there’s a vaguely enough worded clause that talks about when these rights to erasure don’t apply. The first case where this doesn’t apply is when it goes against “exercising the right of freedom of expression and information”. At least to me that’s broad enough to expect a big company to claim that’s why they won’t erase your data.
There are very important reasons to prevent erasure too, and some very understandable right now. If something is in the interest of public health, that is grounds enough. I’m sure none of us would want someone to be able to completely retract a statement of having Covid-19 online, and still wander around unchecked, trying to interact with others.
A second important reason to revoke the right to erasure is in cases where the data is used for scientific purposes. It may not feel understandable if you’re affected by this revoking, but there are important scientific studies being undertaken all the time. Depending on what it is, apparently irrelevant information could wind up being crucial in these cases.
Right to Information and Access to Personal Data
This is one where I would assume controllers hit us with jargon in the terms and conditions to cover themselves, while trying to keep us in the dark. But they’re supposed to provide a lot of information about who exactly they are and how to contact them, how they’re going to process your data and, possibly more importantly, why they’re going to process it. They should also be letting us know which ‘categories’, as they’ve called it, of data are being collected. So essentially, a list of what they’ll collect.
There’s a lot concerning this topic. They should also let you know how long they’re going to hold on to your data. If not how long, how they’re going to determine how long. Which is another way vagueness has been built-in to GDPR. They can also decide to further process your data down the lines for other reasons. And those other reasons? They don’t have to tell you about them until they’ve decided what those reasons are.
Very important to consider is that they’re entirely entitled to send your data on to third parties. They just have to tell you that they will, and either who they’ll send it on to, or what kind of company or peoples they’ll send it on to. So, controversial I know, what happened in the Cambridge Analytica scandal was done illegally. BUT if something about third parties using data for marketing purposes was baked into Facebook’s terms and conditions it could have been, at least legally, fine. Probably pretty grey morally though. But I suppose that’s a lot of law, I say having been educated in computer science.
Right to Portability
Now this one I personally find to be the most interesting. Mainly because I wouldn’t assume it’s a right we have by GDPR. With portability we can request whatever personal data the controller has on us, in some commonly used format that’s machine-readable. The unsurprising part of this is that we also have the right to send this data to another controller. But I mean, that should just be expected. It’s data about us after all.
We don’t even have to act as a middleman, we can request that one controller sends data directly to another. I suppose in an ideal world this would evolve into a secure, digital passport of sorts. Interestingly, it’s stated that this should all be carried out by automated means. I suppose that little bit is to avoid having some stranger looking over your data as it’s transferred?
Right to Object
I’d expect this to be quite a contentious point. You’re meant to be able to object, at any time, to processing of your data. But there are myriad ways this objection could be ignored. The most easily accessed for the controller is if they can provide legitimate grounds to continue processing. Now I’m not too sure what could amount to legitimate grounds, but I’m sure they’d follow a similar line to the reasons to avoid erasure I mentioned earlier.
Some of the big points of this right concern data used for marketing purposes. Which I am completely on board with. I don’t mind ads on websites too much, but it gets a little much when those ads end up being something you’ve Googled minutes ago. To combat this, to an extent, we’re granted the right to object to the processing of our data for marketing, and for profiling when that profile is going to be used for marketing. The way is states this is that if you object your data will no longer be processed for marketing. But to me that reads as if already processed data could be fair game, so long as you haven’t requested it be erased. Which could just cause a headache of cascading rights being enacted.
If you found this interesting please check out episode 5 of CurioCity, where we discussed the broad reach of security. Either through Spotify or Apple Podcasts. Everyone involved has had so much fun this season putting everything together!
