Nowadays, everyone’s personal information is stored in a certain place, whether it is online, offline or both; therefore, we can say that almost all that we do has a „ledger” of our social and financial activities. The dubious aspects come from the fact that most of the times we do not give any consent regarding our personal data storage, which operators not only collect, but also process to their own benefit. To what extent the companies which collect our data can process and leverage it in order to predict certain behaviours and determine the sample population’s preferences it is unclear to most of us. On the other hand, the most striking data breaches are finally raising the awareness for the risks of providing personal data when we go online. The right to have your personal data protected really exists and it is targeted by the European Union regulation, which has been updated in the last years, in order to increase companies’ compliance.
Hence, the legislation has evolved into the of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). GDPR is the current enforced legal basis with which all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location have to comply. This regulation consists of comprehensive data privacy standards, meaning that the range of potential data processors varies from telecommunications companies, recruiting firms to every employer keeping a record of his employees, including public institutions. In order to meet the requirements, the companies need a DPO (Data Protection Officer), who can be an existent employee trained on GDPR or an external service provider.
What are the consequences of non-compliance with GDPR?
Non-compliance can lead to serious infringement situations, which result in up to 4% of annual global turnover or €20 Million (whichever is greater). The more critical the infringement, the higher the penalties, namely: a company „can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessment”, according to https://www.eugdpr.org/key-changes.html.
Why has GDPR become an overheated debate at the moment?
The due date for compliance is 25th May 2018, meaning that after GDPR comes into effect, non-compliant organizations are exposed to heavy fines.
What are the rights of data subjects?
All EU citizens have the right to access the data a controller has about them, meaning that we can ask every social network for a copy of the data they collected about us; the right to be forgotten; the data portability right and so on. Our first thought is that Facebook will never give us a copy of the data they have about us and we are probably right …. until now. (https://medium.com/personaldata-io/cambridge-analytica-demonstrably-non-compliant-with-data-protection-law-95ec5712b61 for an insight into Cambridge Analytica and the infringement of data subjects’ rights). Many of you should have been receiving e-mails by now from the companies to whom you subscribed in the past in order to prolong your subscription. Why does this happen? Because consent from data subjects is vital in the GDPR compliance context.
Personal data is a pillar of our identity and integrity. Be it an e-mail address, an insurance code, a street address, or even the computer IP, we need to have them protected. Every breach in data privacy makes us vulnerable from many points of view and more easily to control and manipulate, because we become predictable patterns of behaviour.
If interested, you have below a link to an article on the most infamous data breaches, which reveals things we might want to have a second thought on.
Phd. Irina Badea,
University of Craiova, Romania