In the last couple of weeks, there has been a lot of mention of the GDPR directive which is to be rolled out across Europe and is said to have significant impact on how companies will manage and use our personal information. Even if the acronym makes the whole thing sound more like a former Soviet state, it has very little to do with collecting more data, but more to do with regulating the collection of same.
The acronym stands for General Data Protection Regulation and it's a ruling intended to protect the data of citizens within the European Union. The regulation was brought forward by the Council of the European Union, European Parliament and European Commission with the goal of providing EU citizens with a greater level of control over their personal data.
The regulation, which took years to come to pass, was officially approved by European Parliament on April 14, 2016 and will come into effect on May 25 next. After this date, fines will apply for any business not complying with the guidelines set forth by the GDPR, fines which can be up to four percent of their global turnover or up to €20 million. Any stored information that can be used to determine your identity falls under GDPR including name, bank details, photo Images, email addresses, IP addresses, social media interactions and medical information.
It is clear that GDPR is a leap forward in terms of customer protection and data privacy. It is far more advanced than anything provided by other countries and it will, without doubt, shape the private data landscape for decades to come. It generally makes it a lot harder for companies to obtain and prove consent for the storing and using of personal data and forces a lot of organisations to re-think and re-organise how data is collected, stored and managed in order to avoid the dreaded and very high penalty charges. The result of this heavy re-focus on data protection is that a horde of GDPR consultants have emerged to assist EU companies to comply with the directive.
The main GDPR-related rights for citizens to keep in mind are Breach Notification, Right to Access, Right to be Forgotten, Data Portability and Privacy by Design. It can be argued that the Right to Access and the Right to be Forgotten are the strongest changes to the current landscape.
The Right to Access states that the EU citizen can receive personal information free of charge when such personal information is stored. This has to include the purpose and usage of the data. This point seeks to enforce private data efficiency and avoid the storing of data that is not needed.
The second point, the Right to be Forgotten, ensures that any EU citizen can request the deleting of any personal information. This includes but is not limited to data that is publicly accessible such as search results and social media entries.
Search results are particularly interesting due to the indexing character. A citizen can request the deletion of an indexed piece of information, but the search engine provider is not responsible for deleting the source, which may or may not be in the European Union. This small border case points to potential loop holes in the legislation, which require a more globally connected legislation to ensure that information stored outside of the EU also underlies similar strict privacy regulation
Dr Kevin Koidl is a Research Fellow in The ADAPT Centrea and the Knowledge and Data Engineering Group (KDEG) of the School of Computer Science and Statistics at Trinity College Dublin.
Share this article: