EU general data protection regulation – impact on the future internet
Jake Tom started his lecture with a general question for the audience asking what privacy in the digital age means to them - are people even concerned about giving out personal information for example in the Bolt app, if they use the information you provide for others purposes beyond their own works.
He went on to introduce the GDPR (General Data Protection Regulations) in more depth. The GDPR was enforced last year, to put very simply - it is private data protection reform across the EU, foundational work for the digital age. 2012 they started planning it, 2015 was the agreement, 2018 enforcement. What it means for the consumer, if you are aware of all your options, if anyone abuses your data, you can reach out to authority and have legal protection.
Tom unraveled some of the background and incidents that really sparked the need for such regulation. He brought the sample of India, where a couple of years ago there was a major data preach when they gathered information of every citizen into a very central system, which was very easy to hack. So the GDPR in a sense was just an inevitable response to growing incidents of data breaches.
The problem sparked when people and even more companies, enterprises, etc. started realizing the real value of personal information and what could be done with it, all in their favor and benefitting them.
Tom brought an example where people’s actions seem so irrational and how people don’t make conscious decisions about posting things online, not seeing the bigger picture and not calculating possible future threats. When people posted those pictures of themselves 10 years older on Facebook, from the cybersecurity specialist view this is just donating a standardized profile picture of yourself to the online world. This could be used for malicious purposes to great extent.
In 2016 when many western companies started to see and explore whether they comply with the new standards and that’s when a lot of confusion arose, cause extremely legal text is full of debatable grey areas that came down to definitions.
Key definitions in the article important for businesses:
Consent – you have to get consent of the consumer every step of the way, if you collect data about that person, every website now forces you to accept cookies. Important is that it has to be freely given and you should be able to withdraw that, unambiguous, affirmative action, distinguishable (cannot be huge document of terms and condition)
Purpose – every business has to state directly why they collect and need that specific data
Personal data – any personally identifiable data
Controller – the person, entity who decides what can be done with the data – responsibility lies there in the case of the preach
Processor – carries out the usage of the data
Data preach – all security incidents, all personal data is compromised, now there is set timeframe to notify governmental authorities about the preach
Transparency and pathways to your personal data(clear chance for you to exercise rights)
Right to access – consumer can always contact the company and access your information they have about you
Right to erasure – you can send email to any company asking them to erase all the information they have about you
Notification obligation – to notify you in case of a data breach
Right to data portability – you be able to download all information about yourself they have of you
With this reform we really are setting a precedent in business culture – cause many are inclined to use apps like Facebook etc and they know that, now you have to mindful about being patching up the mess.
GDPR is not the first global privacy regulation, many have been before, for example in Argentina in 2000, in Australia in 1988 and many more.
GDPR in practice can be applied to a varying degree depending on the country, this is down to the local data protection authority. The problem right now is the incompetence of those authorities, which is the case also in Estonia. The varying degree in the countries makes it really hard for companies that operate in many countries, who have to comply with all the regulations in each country they operate at.
The key question should always be who gets that access to your personal information and what ensures that this person/entity/company uses that information for the right (consented) reasons.
Tom emphasized that the main thing to take out is that this GDPR is something that takes time to really come to life in full form in our lives, it takes time for big companies to start taking it seriously. In the meantime, we all have to be mindful and cautious about our actions online and really think about the consequences and effects in the bigger picture, in the longer run. Right now some lone clicks may seem like nothing, but many clicks from many of us make a huge amount of data.
Start educating yourself on how companies use your data, start reading according to the document and know your rights – Jake Tom concluded his lecture with those three useful tips!