Are EU Citizens impacted by GDPR? The answer is Yes we are, positively I might add. Whilst GDPR compliance is becoming a headache for companies and businesses, for us as citizens the impact is positive. The main aim of GDPR is indeed to protect the citizen and to provide them with rights over their personal data. So how does it achieve that?
Before plunging in, some definitions are called for. The regulation refers to the citizens as the data subjects and data subjects are more often than not users of a system or a service provided by a company.
The right to know
As a data subject, I have the right to know what personal data company ABC Ltd has relating to me. This means that somewhere, somehow, any company we interact with needs to let us know what information they’re keeping about us. This could be listed in their terms of Service or could also be provided upon request.
The Right to access
Not only do I have the right to know, but I have the right to view it.
The Right for portability
This means that I have the right to request a copy in readable form of that data.
The Right to be forgotten
As a citizen I can request any company to delete any personal data it has about me. However, bear in mind that the company is only obliged to do so if this data is not required for the fulfilment of the service they are providing me, for the fulfilment of a contractual obligation or for compliance with other laws and regulation. Basically this means that I can’t go to a bank and ask for the right to be forgotten as there are financial laws that supersede this. Similarly, it would be unwise for me to request this from the company that is providing me with a service I need, especially if that information is required to provide the service. A practical example would be, asking my supermarket with which I have a loyalty card to forget about me, if I still want to accumulate and redeem loyalty points.
Consent of processing
When signing up to any service, the company needs to declare what they will be using my data for and ask for my consent. The consent is usually the ‘I agree to these Terms & Conditions’ checkbox that we’re all so used to. With GDPR however within those same Terms and Conditions they need to also state what my personal data will be used for.
Clear Terms & Conditions
We all do it. One quick scroll through the terms and conditions, check the ‘I agree to these terms and conditions’ without reading them. Mostly because they are lengthy and full of legalese which doesn’t lend itself well to skimming or speed reading. The bad news is that those terms and conditions will still exist. The good news is that they need to be free of legalese and written in plain language. More over as stated in clause 58 (extract below) visualisation should be used to make these more understandable and transparent, which means images. Unheard of in those stiffly written paragraphs we all so got used to skipping over.
[dt_highlight color=”” text_color=”” bg_color=””]The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used.[/dt_highlight]
Consent for direct marketing.
Different from consent of processing, the consent to direct marketing is to ensure you, as a user have the option to not receive any promotional emails.
One more thing, given that the consent to process and the consent to receive marketing material are different, the company cannot negate you service for not consenting to receiving promotional material.
Right to withdraw your consent at any time
Oh and even if they force you to agree to receiving promotional material to sign up, they need to provide an subscribe option, available at any time.
Consent to be tracked.
Do you sometimes get the feeling that you’re being watched? You search for some shoes to buy your father a gift on your phone. You log onto your computer and start browsing. All of a sudden all you see in the website banners are shoes. What the….
That’s on-line tracking for you. The hype is currently on cookies which are the mechanism that stores meta data about your on-line activity to “provide you with more valuable content”. Thankfully for us as citizens (not so much for advertising companies) the ePrivacy regulation has been brought up to speed with GDPR.
Browsers such as Chrome, Edge, Firefox and Opera just to name a few are now obliged to provide us with settings that take effect on every website I browse to. Such settings are:
- Always accept cookies
- Always decline
- Allow cookies only from these websites
- Block cookies only from these websites
- Block 3rd party cookies.
As an EU citizen, you don’t have to worry whether the company is a European based company or not. The regulation applies to all companies across the entire world that service or collect data of EU citizens. Having said that I would still be wary of giving my information to companies out of the EU, as realistically how will the EU force countries like Japan or US to comply with it’s dictates.
There is a US-EU Privacy shield between the USA and EU but don’t be fooled. It’s an on-line certification that the companies fill in themselves via an online questionnaire.
Link to US-EU Privacy shield summary.
Will the GDPR and ePrivacy make it more cumbersome and difficult to sign up for certain services? Most probably, as users will need to tick a myriad of check boxes before being able to sign up, however it should be well worth the hassle if it means that we as citizens are in control of our own personal data.
The EU is doing it’s best to protect the data rights of it’s citizens and it is also threatening companies with very hefty fines should they not comply. Hopefully they’re not done yet, as threatening is all well and good but enforcement takes a bit more than that.
Here’s my suggestion for the EU. Establish a clear compliance protocol (similar to PCI compliance) enact or train an audit and compliance function, and make this audit mandatory for companies once a year. Should a company pass the audit provide them with a GDPR compliance certificate. Should they not, then feel free to hit them with the €20,000,000+ fine as is currently being threatened.
So I went in Chrome to provide you guys with the screenshot of what these settings to enable and disable cookies really look like. The good news is I found them. The not so good news is that they’re buried deep in the settings. Most people will not be able to find them (reminder set to configure my mom’s browser settings next time I’m over). The bad news is that they’re defaulted to always accept.
To help you out, here are the directions to finding these settings on major browsers for your convenience and privacy.
Navigate to settings, at the very bottom of the page in small font, click on ‘advanced’. This should open a privacy and security option. Choose ‘Content Settings’, choose ‘Cookies’.
For a short cut to the chrome cookie settings use this URL : chrome://settings/content/cookies
Edge / Internet Explorer
Navigate to settings, scroll down, click on ‘advanced settings’, scroll down a lot until you get to a drop down menu called ‘Cookies’ which neither allows you to white list and nor to black list specific sites.
Navigate to browser settings and options can be found under ‘Privacy and security’.
Navigate to browser settings, Click on ‘Options’, Choose ‘Privacy & Security’. The options can be found under ‘Tracking Protection’.
Would you like be notified when new posts come out? Drop us a note via the contact us section and we’ll add you to our mailing list.