GDPR – What’s in it for you?

Finally, a political and economic organization, namely the EU,  is introducing a complete set of regulations meant to protect your data and privacy. Because you have the right to know how and why companies, websites and social media are using your data.

In the era of almost daily data breaches, GDPR – the new data protection law, should bring us more clarity and control. Never been a victim of any data breach so far? Just to make sure, do this small experiment and type you email address(es) to the haveibeenpwed website.

Discovered something that looks like the image below?

Don’t worry! Just take a deep breath and change your passwords. Use a password manager and set very long and complex passwords. You won’t need to change them except if your password gets leaked.

By all means, GDPR does not refer solely to data breaches.

General Data Protection Regulation is supposed to set a standard in terms of people’s right to privacy and data control.

We’re here to help you learn more about data protection such as:

  • giving your consent for any data processing
  • transferring your data to a different company
  • asking a company or a website to delete your data.

So, explore the ins and outs of GDPR and find out how you can control your personal information:

  • A short introduction to GDPR
  • How you can control your data based on GDPR
  • Your right to access your personal information
  • How to activate your right to be forgotten
  • What is data portability and how to use it
  • Read privacy policies from the beginning
  • GDPR’s approach on children data
  • Will GDPR impact your data privacy? 

Read the guide below and you’ll find out how to take full advantage of the new regulation to gain more control over your data. 

Short introduction to GDPR

The new regulation replaces an EU data protection directive established over 20 years ago, with the purpose to protect people’s personal digital data. The global increase of social media usage as well as the numerous data breaches in the last years called for a new data protection law.

Pretty cool, right?

Well, that’s not all: as an online user, you should also be notified in case there is a data breach and your PII (personal identifiable information) have been hacked.

Personal identifiable information that GDPR protects is:

  • Identity information such as name, address and ID numbers
  • Web data such as location, IP address, cookie data
  • Health and genetic data
  • Biometric data
  • Racial or ethnic data
  • Political beliefs
  • Sexual orientation

The GDPR will become official starting May 25th, 2018. Although the new rules mainly target EU countries, GDPR will highly impact the entire world.

The world is so interconnected that even companies outside the EU will have to comply with the new law. For example, a U.S.-based company that held client data in Singapore is subject to GDPR, if that data includes clients who are EU citizens.

Additionally, New Zealand wants to get aligned with EU’s new data protection rules. The New Zealand government prepares a new legislation called the Privacy Bill, also reinforcing an older privacy-related regulation.

5 things you can do with your privacy based on GDPR

Here is what you need to know about GDPR in terms of your rights:

1. Receive a notification if your data is part of a breach

As mentioned, companies will be constrained to inform their clients in case of a serious data breach that involves their personal data. However, users are only notified when a breach is likely to result in a risk.

The company first sends the notification to the Data Commissioner Authority. If breaches are classified as risky, the company will then notify the users.

The notification must be done within 72 hours of first having become aware of the breach.

Of course, finding out that your data got stolen is no reason for joy, but it’s better you know about it as soon as possible. In many cases, this might actually give you some extra time to take care of some administrative details that otherwise would be impossible if you would be notified about the breach much later (e.g. change your passwords or contact the company to see exactly what data was exposed).

A famous example of a data breach is the one from Equifax, a major American credit reporting agency that exposed the personal information of 143 million customers.

2. Use your “right to access” to know how your data is handled

This gives you the right to know:

  • how your personal data you give out to companies is being processed and stored
  • where, for what purpose and for how long companies will keep your personal data

As an example, companies can keep purchasing records for ten years for auditing purposes if they want to, as long as this fact is clearly documented.

This gives companies a huge responsibility as they have to pay extra care when it comes to handling and managing people’s data.

They will no longer be allowed to use your data as they see fit and sell it to advertising companies for instance, without your consent.

Here is a bad email example informing you about updated privacy policies that are GDPR compliant: 

As you can see, you can no button to opt-out. This is illegal under GDPR and you can file a complaint about it to the authority in your country that handles this.  

Take action and change inaccurate date

The right of rectification states that you can ask a company or organization to rectify or update details of your personal data. For instance, if you change your last name after marriage or change your address, you should inform companies that hold your personal data about it (article 16 of GDPR).

Moreover, companies are compelled to reply and provide confirmation that they have made the required changes.

3. How to claim your right to be forgotten

In some cases, you have the right to require a certain company to have all your personal data deleted, if that data is no longer relevant for the original purpose of their processing.

Example: if you register for a certain contest or a special offer, after that contest or offer expires, you can request the company to have all your data erased.

Some things cannot be deleted

  • data that requires processing for reasons of public interest in the area of public health
  • data that requires processing for the exercise or defense of legal claims
  • data that requires processing for archiving purposes (e.g.: by law, bank records have to be kept a period of time)

Certain legal and administrative data cannot be deleted such as medical records or information requested by national financial organizations. These data should be stored and kept as they are necessary for public health and social economic reasons respectively.

In other words, some requests based on your right to be forgotten can be refused on grounds of legal necessity and public interest.

4. Your right to data portability and how to use it

As its name suggests, you have the right to transmit your data from one company to another.

You can request a company a copy of your personal data in a clear and structured format. You can then use this copy and transfer your data to another organization, which can also be a competitor.

Furthermore, this data has to be converted in a machine-readable format, so that the new organization can import the data easier.

Example: You can transfer from one telecom and internet services provider to another.

Keep in mind: the initial controller has no legal obligation to delete the transferred data unless you request the right to erasure (according to article 17 of GDPR).

5. Clear privacy policies from the very beginning

This concept forces companies to be transparent about privacy policies from the very beginning.

Privacy by design requires data controllers to apply the right technical and administrative tools for data processing.

Example: Companies must implement IT systems that can fairly manage and store people’s personal data.

They should also clearly present privacy policies and their terms and conditions to clients or make these details easily reachable and visible.

Additionally, any change in the privacy policy must be clearly communicated to users. This is why your inbox was flooded in the week prior to GDPR coming into force.

 

What else is included in GDPR?

All websites have to comply with GDPR

GDPR also applies to social media posts and photos uploaded to any website. The regulation will make life harder for social media giants that will have to stick to their initial purposes and no longer collect personal data without users’ prior approval.

For example, here’s what you should find on a website that follows GDPR rules:

Stronger protection for children’s data

According to GDPR principles, kids should have at least 16 years old in order to have their data processed. Even so, individual Member States can set their own age limit, so it also matches local legislation.

Additionally, GDPR stipulates that children should be at least 13 years old to have the right to sign up to digital services.

Examples: YouTube Kids and Facebook are some of the biggest companies that target children data.

Still, children’s data collection and protection are likely to face some difficulties, like:

  • The right to be forgotten also applies to children. But will they request this right and will the process be straightforward enough for them?
  • Additionally, will companies that collect data from children write their privacy notice in a way that is clear enough and understandable for children?

Organizations that provide online services to children may need a parent or guardian’s consent to process their personal data according to law.

GDPR allows you to encrypt your personal data

GDPR mentions the fact that the use of pseudonyms online is acceptable as long as it is just a measure of precaution and security. In other words, you are allowed to encrypt your personal data (in fact, this is highly advisable), and even have the right to not reveal your true identity on certain websites, such as social media.

For instance, Germany has won a fight with Facebook over users’ right to use fake names, before GDPR became official.

However, this does not mean that you can use fake names anywhere you’d like.

GDPR does NOT give you the legal right to give fake names to the police, in Court or to other public organizations. Particularly if you’re using a fictious name to conceal a crime or cause damage is a punishable crime anywhere in the world.

As noted, this is only available for certain online platforms, where your real identity is not a mandatory request.

How to file a complaint against a company under GDPR

If you believe companies don’t care about your data, you’re probably right. But they will start caring since they risk huge fines if they don’t respect GDPR rules.

The amounts of fines possible are divided on two levels:

Lower level

  • up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher

Upper level

  • up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher

In case a company proves to infringe GDPR rules multiple times, it shall be fined according to the most severe infringement.

Report a company that is not GDPR compliant

It’s important that you don’t just take note of the new privacy rules (which are highly in your advantage), but it’s also your duty to see if data controllers are taking these rules seriously.

Whenever you believe a company has failed to comply with any GDPR rule, you can report it to a Data Protection Authority. DPAs are present in all EU countries and they are authorized to investigate any suspicion of a violation of the GDPR.

Find a list of all contact details of Data Protection Authorities in Europe at the end of the article.

Are companies prepared to apply the GDPR legislation?

A simple answer would be NO.

Based on GDPR stipulations, worldwide companies that handle or collect data on European users must protect this information in full accordance with the regulation as if they were based in Europe.

According to recent surveys, only 5% of EU-based companies consider they are fully ready for GDPR. Paradoxically, 35% of US organizations also don’t believe they will be prepared to meet the new regulations by May 25th. In addition, American companies don’t know exactly how the GDPR impact their business.

Being GDPR compliant is an ongoing effort. Companies should have a plan and act from the risk perspective and with the ability to demonstrate they took all the necessary steps to respect GDPR.

Here is a bad email example informing you about updated privacy policies that are GDPR compliant:

As you can see, you can no button to opt-out. This is illegal under GDPR and you can file a complaint about it to the authority in your country that handles this.

GDPR leaves some unanswered questions

Although this new tells you how your data should be handled, it comes with plenty of uncertainties for companies worldwide. Small companies in particular will face some challenges. So far, there is no clear methodology for each process stipulated in GDPR, which makes it all very confusing for worldwide businesses.

There are several questions to which GDPR has so far didn’t manage to give a clear answer:

  1. Do you always have to give your consent for any data processing?
  2. What is the process if you want your data deleted?
  3. How can companies ensure the “deletion” is done across all platforms and that is really deleted?
  4. How can companies confirm the person who requested to have his data transferred is the person he says he is?
  5. What exactly is the communication plan in case of a data breach?

What are users’ concerns regarding GDPR?

Here is what a user that also manages a website believes about how GDPR will be implemented:

Data privacy is a very important issue. I like it… ON PAPER. However this is being implemented in the worst way possible – all at once. Here’s one example of how it could have been improved: It could have been rolled out in phases.

Phase 1: Require simplified privacy policies and other legal documents. Eliminating “Walls Of Legalese Text” is great for the internet, and perhaps the easiest to adopt right away.

Phase 2: Remove old/unreasonably kept data. Require consent for future data collection.

Phase 3: Require consent for collected data in the past. Give web developers adequate time to gain fresh consent. (I personally lost 8K mailing list subscribers because by the time I learned of GDPR I did not have enough time to gain fresh consent.)

It’s all happening all at once and it’s going to inevitably lead many websites to take extreme measures. Here in the US only a small portion of people have even heard of it! (Just look at Google Trends, filtered by US.) Even then, the misunderstanding that this only applies to EU is very popular as well, even if it’s not true. Most non-EU entities simply didn’t – and still do not –  know they should be taking GDPR seriously.

And finally, my personal scenario I have spent so much time optimizing my SMALL website, it’s caused so much stress…. And still after checking all the boxes I STILL HAVE DOUBTS. That’s right, there is no clear moment when you think, “Ah yes, I am finally compliant!” … We should have a very clear reasonable measuring tool to know that we are compliant. There will inevitably be people who get the 20 million fine who tried everything to be compliant, but were fined because of a loophole or ambiguity, and that’s just sad.

btcrazy

Will GDPR have a meaningful impact on my data privacy?

In theory, GDPR brings numerous benefits to you, as a client of a company or as an online user. GDPR mainly says that you should be in full control of your data, because that is how it is normally supposed to be.

The whole purpose of GDPR is to make you and everyone else feel protected every time you give out your personal information. You no longer have to fear that in case someone hacks your data or discover they were stolen and used for other purposes than you thought, you are simply powerless and give up.

Companies and organizations that fail to comply GDPR rules are liable for huge penalties.

What experts say about your new, stronger rights

Expert opinions on GDPR highlight the fact that companies will have to make an effort in re-thinking their marketing strategy. However, they should also gain their customers’ trust, so the hard work should be worth it.

Here is what some specialists say about GDPR: (replies from emails I sent)

What is the most important benefit for the individual Internet user in Europe under the GDPR?  

Under the GDPR, users have a greater control over who collects and stores their personal data, as well as how that data is used. The GDPR is designed to help protect European citizens from unsolicited contact by businesses and from unapproved data storing and processing.

Alexandra Isenegger, CEO Linkilaw

The most important benefit is being sure that your personal data is under protection – officially and by law. This means staying calm and sleeping well. I believe that GDPR is a great thing in the long run since data becomes our main asset in this new world of networks and devices.

Den Golotyuk, Founder and DPO IO Technologies 

For all internet users it’s now way easier to get information on what kind personal data is stored in different databases. It’s wonderful to finally get power over your own email and stored information. Each provider needs to give you all they have on you under the law. The change that brings in behavior is going to clean up lots of the shady marketing people were using. I’m very happy as European working for a company in the USA that I can see both sides and in Convert.com we even decided to completely change the product to offer A/B testing without personal data. So, we changed our behavior and product based on the desire of Europeans to get more control over their data.

Dennis van der Heijden, CEO and Founder of Convert.com (A/B testing software)

The GDPR forces organisations to demonstrate they are using consumer data legally. There are six legal basis for processing data, getting consent direct from the consumer in a clear, fair and transparent way is one way. For far too long data has been abused, and the GDPR is putting the onus on organisations to get things right and put our data first.

Mike Lenard, Managing Director, Tailored Data

As Jeffrey Rosen stated:  “The ideal of privacy…insists that individuals should be allowed to define themselves, and to decide how much of themselves to reveal or to conceal in different situations…”. GDPR is a step in the direction of materializing privacy, and it’s a step in the right direction, but further steps should be taken.

Venetia Argyropoulou, Data Protection Officer at CyberGhost VPN

Shaping the future of privacy one step at a time

Overall, GDPR creates challenges, specifically for businesses, but it also creates opportunities.

The main GDPR principles are:

  1. Trust instead of free access and ad-based business models
  2. Trust and security as fundamental values for any business
  3. A clearer way to differentiate between trustworthy companies and shady ones

We encourage you to defend your privacy

CyberGhost VPN’s mission aligns completely with GDPR. We believe everyone has the right to privacy. You should be able to control your data because you own it in the first place. A law should protect your data since you never know exactly what happens to it once you share it online. GDPR sounds great in theory; it’s the practical approach that everyone is waiting to see how it will be managed.

GDPR is all in your benefit, but:

Do you truly believe GDPR will enforce your trust in companies and the way they handle your data?

Feel free to share your opinion with us and tell us what you think.

As Robert Knapp, CyberGhost VPN founder said:

Privacy is not negotiable. It is a basic human right. The civil rights approach must be in the center of everything we do if we want to live in a free and liberal society. […] Civil rights are invulnerable rights and there must be a very good reason to restrict them. […]

We live in a surveillance world. And this surveillance world is called the Internet.

GDPR terms explained

Data subject = any person whose personal data is being collected, held or processed.

Data controller = the company or the organization that determines the purposes for which and the means by which personal data is processed.

Data processor = the company that processes and manages personal data only on behalf and under the instructions of the data controller.

*In many cases, a company can be both data controller and data processor; a company is the data controller in regard to data about its staff, but can also be data processor in relation to the data of its clients.

Data portability = the fundamental right of the data subject (usually an individual) to move their information from one controller to another controller; this can be done by copying or transferring data from one database, storage or IT environment to another.

Data breach = illegal viewing, access or retrieval of data by an individual, application or service; an incident that usually occurs when an unauthorized hacker or attacker accesses a secure database.

Results of a data breach include data loss, including financial, personal and health information.

Data processing = a wide range of operations performed on personal data, such as collection, storage, use, erasure or destruction.

Personal identifiable information = any data that can be used to identify a particular person; it can be social security numbers, email address, phone numbers, etc.

Consent = clear, voluntary, and unambiguous agreement, expressed in mutually understandable words or actions to a certain proposal or action; in the context of GDPR, unless your personal data is required under legal obligations, your consent is required for data processing.

Data Protection Officer = a hired expert on data privacy within a company or organization that monitors and ensures the company is complying to the policies and procedures established by data protection regulation.

Data Protection Authority = independent public authority that supervises the application of the data protection law; each DPA is appointed at a national level, through national legislation.

Contact details of Data Protection Authorities in Europe

Austria

e-mail: dsb@dsb.gv.at

Website: http://www.dsb.gv.at/

Belgium

e-mail: commission@privacycommission.be

Website: http://www.privacycommission.be/

Bulgaria

e-mail: kzld@cpdp.bg

Website: http://www.cpdp.bg/

Croatia

e-mail:  azop@azop.hr or info@azop.hr

Website: http://www.azop.hr/

Cyprus

e-mail: commissioner@dataprotection.gov.cy

Website: http://www.dataprotection.gov.cy/

Czech Republic

e-mail: posta@uoou.cz

Website: http://www.uoou.cz/

Denmark

e-mail: dt@datatilsynet.dk

Website: http://www.datatilsynet.dk/

Estonia

e-mail: info@aki.ee

Website: http://www.aki.ee/en

Finland

e-mail: tietosuoja@om.fi

Website: http://www.tietosuoja.fi/en/

France

Website: http://www.cnil.fr/

Germany

e-mail: poststelle@bfdi.bund.de

Website: http://www.bfdi.bund.de/

Greece

e-mail: contact@dpa.gr

Website: http://www.dpa.gr/

Hungary

e-mail: peterfalvi.attila@naih.hu

Website: http://www.naih.hu/

Ireland

e-mail: info@dataprotection.ie

Website: http://www.dataprotection.ie/

Italy

e-mail: garante@garanteprivacy.it

Website: http://www.garanteprivacy.it/

Latvia

e-mail: info@dvi.gov.lv

Website: http://www.dvi.gov.lv/

Lithuania

e-mail: ada@ada.lt

Website: http://www.ada.lt/

Luxembourg

e-mail: info@cnpd.lu

Website: http://www.cnpd.lu/

Malta

e-mail: commissioner.dataprotection@gov.mt

Website: http://www.dataprotection.gov.mt/

Netherlands

e-mail: info@autoriteitpersoonsgegevens.nl

Website: https://autoriteitpersoonsgegevens.nl/nl

Poland

e-mail: kancelaria@giodo.gov.pldesiwm@giodo.gov.pl

Website: http://www.giodo.gov.pl/

Portugal

e-mail: geral@cnpd.pt

Website: http://www.cnpd.pt/

Romania

e-mail: anspdcp@dataprotection.ro

Website: http://www.dataprotection.ro/

Slovakia

e-mail: statny.dozor@pdp.gov.sk

Website: http://www.dataprotection.gov.sk/

Slovenia

e-mail: gp.ip@ip-rs.si

Website: https://www.ip-rs.si/

Spain

e-mail: internacional@agpd.es

Website: https://www.agpd.es/

Sweden

e-mail: datainspektionen@datainspektionen.se

e-mail: lena.schelin@datainspektionen.se

Website: http://www.datainspektionen.se/

United Kingdom

e-mail: international.team@ico.org.uk

Website: https://ico.org.uk

Iceland

e-mail: postur@personuvernd.is

Liechtenstein

e-mail: info.dss@llv.li

Norway

e-mail: postkasse@datatilsynet.no

Switzerland

e-mail: contact20@edoeb.admin.ch

Find the extended list of DPAs.

About the author

Dana Vioreanu
Dana Vioreanu

Even though her degree is in Sociology, which technically has nothing to do with writing, all her previous jobs implied working for websites, taking care of content and writing articles.
By the way, if you’re interested in studying abroad, feel free to ask her a few pointers, because for about two years and a half, she learned almost everything there is to know about international studies.

4 Comments

Leave a comment
    • Hi there,

      The fact that CyberGhost is an EU-based company just enforces that we, and any EU company for that matter, is more careful with people’s personal data. As a member of the EU, Romanian law does not force us to keep any logs of the users’ actions; GDPR does not change that, it just reinforces it. Please be aware that the European Union offers a higher standard in data security laws compared to the US, for instance.
      So, this should not concern our users because we will go along with our no logs policy like we used to do so far.

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

© 2017 CyberGhost