GDPR, my data and me

“GDPR, what a complete and utter pain in the backside” said every business in the EU.

As someone who really cares about how my personal data is managed, this statement makes me pretty sad. However, it encapsulates the attitude of a lot of businesses I have come across over the last few years. In a nutshell, GDPR means that businesses will actually have to DO something about the way in which they handle people’s personal details. Oh, my goodness, the horror! That businesses should actually care about their customer’s data? If you could see the depth of my eye roll you’d be impressed.

It seems to me that the closer we get to May, the more removed many organisations are becoming from the core reasons for introducing GDPR in the first place. The whole point of this law is to provide people with more control and protection over their own data. Yet, at present, the law seems to only be functioning to cause businesses extreme anxiety. Ironically, it seems as though the people for whom the law was written, and who will ultimately benefit from it, are the only ones who aren't aware of it.

I searched online to see whether there was any information available for the general public rather than for businesses. Unsurprisingly there is next to nothing. What has been written is so complex that you’d need a law degree to understand it. Therefore, because I genuinely think that GDPR is a great thing, so I thought I'd write a short summary of the law, without any legalese, about what GDPR will actually mean for you, the general public.

What is it?

GDPR is an upgrade to a number of data protection laws written over 20 years ago. These laws are outdated and don’t take into account the huge technological advancements that have occurred in recent times. GDPR helps to bridge the gaps created by these advancements and means that:

1. Companies have to be open, transparent and explicit about what they plan on doing with your data. They also have to use really simple and concise language. No more complex privacy statements that don’t make any sense.
2. The personal information you choose to give to companies will be safe, protected and processed in a way that means it won't end up online for everyone to read.
3. Companies need to ensure that they don't retain old or inaccurate data about you. E.g. update your address so it's not listed as the place you rented for 6 months over a decade ago
4. Your doctor, social worker, or any other person who has access to very sensitive information about you, won't print your very private details and accidentally leave them on the train for the world to see.
5. Companies won't try and sell to you years after you no longer need the item you were originally interested in
6. Companies will stop contacting you about their products and services if you haven't agreed to it or are no longer interested in it.
7. Businesses will continue to send you important information necessary to something you've purchased.
8. If you no longer want companies to keep your data, you can ask them to “forget you”. I.e. delete everything about you as an individual.
9. If you want to know what information companies store about you, they must provide it within one month of your request.
10. You can choose for companies to not use automated methods to profile you. E.g., a recruitment aptitude test or automated decisions to award loans.
11. If you want to move your data from one company to another, the company you are leaving must provide a way for you to transfer the data. E.g. you switch from one bank to another and want to transfer your past transactions.
12. Even if a company is based outside of the EU they will need to comply with the law because you are based in the EU.

I really do hope that the mentality towards this law changes over the comings years. It really is there to protect you and the people you care about. It can only be a good thing in the long run.