Here at Smarter Data Protection we want to share with you our passion for data protection. We know it’s something not many people would identify as a passion-inducing topic but trust us- it can be! It just needs context.
Why is data protection important?
GDPR is a term that stands for General Data Protection Regulation. Although this acronym conjures thoughts of confusing business terminology, it actually affects more people than you might think.
Personal data is something we all have, whether 3 years old or 93. When you enter bank details on a shop’s website, or post a photo to social media, you’re leaving your personal data with parties that may not be providing the privacy you deserve.
As an individual, or data subject, you have rights that must be honoured by organisations processing your personal information.
We are all data subjects. Your relatives, friends and work colleagues are all data subjects; and that’s why GDPR should matter to you.
GDPR for everyone!
Since so much of our information is now digital, the importance of discretion is (arguably) exponentially higher than the years prior.
Before the regular use of computers and mobile devices, data was shared in the electoral register and the phone book, where the choice of anonymity and confidentiality was greatly understood. You could, quite simply, opt-out of having your details published and, instead, be registered on a ‘not-public’ list. You also knew exactly where your data was going to be published if you didn’t opt out.
Life may have been more simple, and less digital, back then. Even so, we should still be granted the same levels of transparency and understanding.
How many of you actively encourage your elderly parents or relatives to shop online (to save their legs), or to bank online (because there are no local branches of that bank anymore)? I know I did.
But how many of us sat down with our loved ones and explained; your bank will not ask for all of your security details over the phone or that your shopping habits are being monitored, in order to market other consumables.
And what about our youngsters? How many parents take the time to teach their children about the facts of life- such as; how to check websites for security, to protect their passwords, to think about what they are posting on social media, to not give out personal details online?
Data Protection is not another tedious exercise the ‘powers that be’ inflict on us, another thing to put on our to do list, another thing I have to think about on top of everything else.
It is time for us (data subjects) to be protected, to have control, to be forgotten/erased, to matter. That’s why the GDPR was born.
The ICO are running a campaign to help people better understand their privacy rights. You can find more information here.
How do these rights apply to us in our every day life?
The right to be informed.
The right to be informed is key to the GDPR. Through compliant privacy notices you, as a data subject, should be acutely aware of what data is being collected, how it is being processed and for what purpose. You also should be told if your data is being transferred outside of the European Economic Area, and how you can complain if you need to.
In all cases, an organisation must have a lawful basis upon which to process your personal data. This should also be cited in the privacy notice. If the organisation cites “consent” as their lawful basis, then you must have given explicit consent at some point.
The right of access.
As a data subject you should be able to obtain access to your data by submitting a Subject Access Request (SAR). Data controllers and processors have one month to comply and they can no longer charge a fee for reasonable requests.
There’s a step by step guide available from the Information Comissioner’s Officers and it includes a template letter: https://ico.org.uk/your-data-matters/your-right-of-access/
The right to rectification.
In an age when lots of decisions are made automatically from data stored in systems, it’s important that data is correct. The right to rectification means that your concerns about the accuracy of your data, and the impact it may have on you, must be taken seriously.
An example of this could be, a credit reference agency putting wrong information against the wrong person. This sometimes occurs where members of a family have the same first and surname and a late payment is accredited to the wrong person. This could affect your credit rating. You can use your right to rectification to make sure these errors are corrected.
The right to erasure.
The right to erasure allows you to request that all the data held, and any data shared with a third-party, be deleted or destroyed. Again, this is not an absolute right and data will have to be held where there is a legal obligation or a compelling reason to do so.
The right to restrict processing.
You have the right to ask any data controller or processor to restrict their processing to only that which is absolutely necessary, for the purpose you’re engaged with them. You can also ask for processing to be restricted whilst any complaint or issue is being investigated. Again, this won’t be applicable in all cases but remains a general right.
The right to data portability.
The right to data portability is new and allows you to move, copy or transfer your data easily from one IT environment to another in a safe and secure way. A good example of this might be the data stored on fitness applications.
If a customer wants to move to a new software provider, they shouldn’t have to lose their old data as a result. The new right to data portability means they can ask their current provider for their historical data in a commonly shared format so they can continue to use the data in future.
The right to object.
You can submit an objection to processing both verbally and in writing, and the data controller in question must response within one month. This is not an absolute right. You won’t be able to object to processing if the processing is a legal or contractual requirement.
Rights in relation to automated decision making and profiling.
You now also have the right to appeal any automated decisions you think are unfair or incorrect in some way. In these circumstances, the organisation in question must then ensure a human reviews the decision that was made. For example, if you’ve been refused a loan or credit and you’re not sure why, or if the decision was made fairly.
Don’t Forget Your Right to Compensation!
There’s one other right that often gets forgotten. Article 82 of the GDPR cites that
“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”
This means that where a data subject has suffered damage as a result of a data breach, they have a right to claim compensation from the organisations in question.
If you can think in terms of Data Protection being personal – as it being a relative, child or friend’s data you are processing, would it matter more?
Would you take more care with it? Would you make sure you did everything you could to protect it? Of course you would and that is why Data Protection matters to all of us.
The doctor that processes your mum’s data, the shop your dad buys his books in, the website your son visits to talk to friends, the photos your daughter posts of herself…where does that go, how is it stored, is it transferred out of the country, how long do they keep it, can it be forgotten? How can we protect them?
Be on board with that protection. Don’t get your business compliant because you have to. Do it because you want to protect your customers, employees and suppliers.
The Data Processing Principles