Online services perform analysis of personal data
These days the collection of personal information happens in many aspects of our lives. Almost every online service we use involves the gathering and analysis of personal data; social media networks, banking applications, e-commerce shops, and governments collect our names, addresses, credit card numbers, and much more. All this information is stored and sometimes even sold further to other third-parties.
GDPR provides more control over online personal data
In Europe, the General Data Protection Regulation – GDPR came into effect in May 2018 as a legal framework to allow EU citizens more control over their online personal data. As a replacement for the Data Protection Directive, the GDPR tries to implement rules across all nations in the EU. But GDPR reaches beyond the European Union, as the law also applies to websites outside of the region whenever they provide goods or services to or monitor the behavior of people in the union. In other words, GDPR has a world-wide impact.
Enforcement of a privacy policy
The general requirements to comply with GDPR are as follows. A website or app must inform the visitor in a comprehensive privacy policy how it handles the collection of personal information and how personal data is processed. Privacy information must be up-to-date, easy to understand, and readily accessible on the website or app. Moreover, there must be security measures in place for protecting personal data. Further, there needs to be a method to retrieve user consent, and a procedure to allow for the removal of a person`s data.
Privacy by design for the collection of personal information
In the digital economy, data breaches do take place. Information gets stolen or transferred for malicious reasons. An organization not only has to make sure the collection of personal information happens legally and under strict conditions. Your personal data needs protection from abuse and exploitation. Respect for the privacy rights of people as well; commonly, this is referred to as privacy by design under the GDPR legislation.
Explicit approval of cookies
So what does GDPR mean for consumers? Visitors must be notified which data a site or an app gathers from them, and they must explicitly consent to the collection of personal information. This requirement clarifies the presence of a so-called cookie policy; the visitor has to click on an Agree button or perform a similar verifiable action. Cookies are small files that contain personal information such as site settings, browser preferences, and tracking links. The ePrivacy Directive – also referred to as the Cookie Law – addresses user data privacy rights when installing cookies.
Need to anonymize personally identifiable information
Furthermore, under the GDPR law, any personally identifiable information (PII) collected on a site needs anonymization. In that way, companies can perform more extensive data analysis, while respecting a person`s privacy. A good example is, for instance, the calculation of an average debt ratio of customers in a particular region; such an estimate goes beyond the original purpose of personal data collected to measure creditworthiness for a bank loan.
Direct notification of data beaches
In case of a data breach that could result in damaging a person`s reputation, financial loss, or loss of confidentiality, an organization has to report the violation to the possible victims and the regulatory authority. Everything possible to reduce the damage needs to be done. A company must communicate the breach notification directly to the victims, and not by a message on the website of the company or press release.
Statutory rights on the collection of personal information
The GDPR implements statutory rights for EU citizens on the collection of personal information regarding digital products and services. These rights include:
- information: this implies a clear and human-readable privacy and cookie policy on a website or app
- access: a visitor has a right to access his or her personal data and to know how personal data is processed
- correction: a user can request to correct incomplete or incorrect personal data
- objection: a consumer has the right to object personal data processing unless legal rights for the greater good override this objection
- data portability: a visitor may obtain his or her personal information in a machine-readable format for own purposes
- erasure: when continued processing is no longer justified a consumer can request deletion of his or her personal data, for example, when the consent retention period has passed
- children under the age of 16: for children under 16 (some EU countries can lower this to 13 years) parental consent is required
GDPR as a legal model for online privacy
In summary: With GPDR into force, the collection of personal information includes privacy by design. As a result, consumers have more control. You can access your personal data stored by organizations on their websites and apps. You can also find out how this data is processed, request corrections, and even erasure. Data protection under GDPR also assists you to stop third-parties from processing your online data. More and more countries use this EU law as a model to regulate online privacy for their respective countries. The CCPA – California Consumer Privacy Act – for example, contains many similarities; more information on this law in another post.
Further reading: Guide to GDPR compliance