Your rights and the GDPR: what you need to know

On 25 May 2018, a new piece of legislation is coming into force in the EU. Called the General Data Protection Regulation (or GDPR for short), it’s going to change the way companies collect, process and store consumer data.

The GDPR secures the right to privacy and protection of personal data in a way that means big changes for businesses and those who build software is guaranteed in articles 7 and 8 under the Charter of Fundamental Rights of the European Union. It builds on from the previous Data Protection Directive, with more of an awareness of how people and businesses are integrating with digital.

This legislation covers any business that has a presence in the EU and applies to any business anywhere in the world which deals with the data of EU nationals. Even if you aren’t a EU citizen, you may well feel the ripple effect of these powers, as companies will be completely changing their policies and practices.

Companies that fail to comply face extreme penalties: fines of up to €20m, or 4% of annual global revenue — whichever is higher.

However, few people know that much about this regulation — or the powers it’s granting them.

In a huge online survey, across 11 EU countries, interestingly Pega found that 79% of consumers didn’t know GDPR is coming. Once they were told about the legislation, 82% said they planned to “take advantage of their new rights.”

Here, we’re looking at what those rights are, and how you can actually use them.

You’ll gain a say over your data

No longer shrouded in secrecy, the GDPR gives you the right to know and own your own personal data. You can find out who knows what about you, and for what purpose they are using your data. And you can change it.

Right to access and to amend

The right to access your data existed under previous legislation but wasn’t widely known about or well enforced.

The GDPR enshrines this right — and will punish companies that does not comply. As a result, businesses have been concerned as they overhaul their customer data storage. Worryingly, just under a quarter of businesses predict they’ll be partly compliant by the deadline.

This is because they have to make enormous changes to the way they store customer information, so it can be more accessible and secure.

Under GDPR, you have the right to ask a company to show you what data they have on you, what they do with it, and why they are storing it. They have to justify it to you. They have to respond to your request in 30 days, and it has to be in a format you can understand.

Importantly, if their data is wrong, or they’re keeping too much private information, you have the right to change it, or even have it deleted.

Your data is no longer the product

As journalist Andrew Lewis, once said: “If you are not paying for it … you’re the product being sold.” But that’s no longer the case under GDPR.

Publishers can no longer demand you consent to sharing your personal information with them in order to access a site or view content.

Companies can’t ask for your email address to access an eBook, and then secretly add you to their mailing list. Your consent has to explicit, and they have to be able to prove that they have it.

Not only do you have to consent to a company storing your data, they are obliged to tell you why they need it, and what they’ll use it for.

Fundamentally, digital marketing is going to have to change. And fast. Worryingly, 41% of marketers admit to not understanding the law around consumer data.

Object to automatic processing

Customer data is the fuel for algorithms. Online market places know what to recommend to you, because it’s seen thousands of similar orders, and has worked out how to predict user needs.

Algorithms and automation dictate more and more in our daily transactions. But now, you can request information on the algorithms that are profiling you — and you can opt out.

You can request human intervention if you feel the algorithm is disadvantaging you, which will have huge impacts in challenging the biases humans have coded into Artificial Intelligence.

This is a great freedom for you, as a consumer, to no longer be profiled and tracked. AI has infiltrated many aspects of life and we don’t usually even notice. AI requires data in order to learn. If you want total privacy, you may have to sacrifice some convenience or personalisation.

Given our reliance on smart search engines and recommendations, this ushers in a new era of consumer data awareness.

You’ll hear about data breaches earlier

Cybercrime is on the rise. Yet whilst it’s hard to legislate complete protection for consumers, the GDPR ensures companies can no longer obscure the facts around data breaches.

Developers are going to have to start building their products with your privacy in mind — something we’ve explored before — and be vigilant against attacks.

Massive hacks can no longer be hidden

If hacked, businesses must notify the supervisory body within 72 hours of discovering the breach. Failure to do so comes with heavy penalties.

With stricter regulations in force, companies are motivated to lockdown their security, and tidy up their processes and procedures. In turn, this promises more protection for your data.

Companies have to tell you about hacks in plain English

Not only do they have to notify the GDPR supervisory body, companies are now obliged to inform consumers too. They have to share what has happened, what data has been affected, and the possible impact this could have for you. This has to be in plain and clear English.

You even have the right to be compensated should the breach cause you damages, like if your credit card details are stolen, and the thief harms your credit rating.

Conveniently, thanks to the GDPR you can move your data to new providers, and erase it from your old one. The regulation goes further than just providing you protection as a consumer. It’s giving you back control and empowering you to take meaningful action.

The GDPR is offering you more flexibility as a desirable customer; giving you the tools to make better and more informed decisions.

The right to data portability

You have the right to demand your data from a company, and it has to be in a machine-readable and commonly used format.

But further than that, if it’s technically possible, you can request they facilitate your move to a new service provider.

Under the GDPR, you can ask a business — say, your electricity provider — to package all your data up, and then hand it over to their competitor, who is offering you a better deal.

You’re being put fully in control of your data; and the barriers that complicate changing your services are being removed.

Your data is valuable: some estimates predict “the value of European citizens’ personal data could grow to nearly €1 trillion annually by 2020.”

Businesses will have to be more upfront about what you’re worth to them. Bargain with your data to get better value and special offers.

The right to be forgotten

If bargaining doesn’t work, or you’ve taken your business elsewhere, you can erase your data entirely from your previous provider.

This is commonly known as the “right to be forgotten,” which actually came into law a few years ago.

In the landmark case against Google, a single man, Mario Costeja Gonzàlez, won the right to make the search engine remove links to a news story about him. The story stayed up — as a judge saw it as in the public interest — but searches of the man’s name no longer lead to it.

This will make it significantly easier to manage your digital identity.

You can prune relationships with retailers you aren’t interested in, stop your former bank from selling you new products, and protect your online reputation.

This is one of the most exciting parts of the regulation for consumers, and has the potential to disrupt entire business models and sectors that rely on cold calling and the buying or selling of customer data.

You’ll have the right to complain about noncompliance

This legislation is not just advisory guidelines. It’s enforceable, and has a clear plan for how any complaints should be made and dealt with. It offers a framework for consumers to use in order to access their rights.

This will cause a huge change in how businesses approach data handling — and its importance.

Right to object to & restrict the use of your data

Sometimes, you need businesses to have your data. The GDPR is allowing you to not only know what they do with it. You can now object to the use or processing of your data; or restrict it.

This gives you the power to make companies accountable for how they use your information. You have the freedom to make decisions that companies must respect.

It will cost each of us some time, but the legislation has been designed to meet your need as a consumer, by providing you the ability to protect your own data.

Right to complain to the supervisory body

At the core of their operations, companies have a duty of care to their customers. Under the GDPR, they have to respond to your requests, and action them appropriately.

If they don’t, you can take it to the supervisory body in your country — even if it isn’t the country the company is based in, nor the country they process data in.

The supervisory body has a duty to investigate, and respond to your request. If you find their response unsatisfactory, you can demand a judicial review. In fact, you can even take the companies that aren’t complying with the regulations to court. It sounds daunting — but you aren’t alone.

Right to seek help in complaints

Enshrined in the regulation is your right to assistance in any complaints you make or court cases you raise.

You can enlist the help of a digital rights organisation, association or charity, such as None of your Business or European Digital Rights.

Regulation can be dense and dry, and often it’s the people it is designed to protect who struggle to enact it. Under the GDPR, your right to use the regulation is accounted for.

Top Takeaway Tips

Hopefully this guide has explained what the GDPR means for you, as a consumer, and helps you understand your rights a bit better. We want to make sure you go away and use them, so here are our top actionable tips.

1. Take the time to educate yourself
   Companies must now share all this information with you, about what they’re storing, why they need it, and what they do with it. Before agreeing to anything, invest a little time in reading it. Start getting comfortable with your digital identity, and how to use it best.
2. Learn who your GDPR supervisory body is
   They can, and will, action your complaints. Each member state has some freedoms to apply the laws differently, so you need to get the perspective most relevant to you. Find out who yours is here.
3. Take this opportunity to spring clean your personal identity
   If anything, GDPR should help you become more aware of the huge size of your data footprint. It presents the perfect opportunity for you to overhaul how you store and share your personal data. Check your information is up to date where it needs to be, remove yourself from mailing lists and remove any unimportant personal data.
4. Start managing and monitoring your data better
   This is also the perfect time to start checking your own cybersecurity at home. Consider using a password manager to secure your passwords, and track where you’re sharing your data.
5. Exercise your rights
   Most importantly, once GDPR has come into effect, use it! It’s consumer legislation designed to benefit you. It may take a bit of legwork, it may take a couple of years and court cases to bring companies to account, but by holding company’s accountable we can ensure better data security for all.

At Sphere Identity, we’ve built a GDPR-compliant blockchain-based self-sovereign identity platform. It empowers people to take control of their digital identity, and to use it to their own benefit.

Sign up for updates from Sphere Identity by clicking here.