General Data Protection Regulation, or GDPR, comes into effect on 25 May, 2018. Here’s what you need to know to understand what the changes mean for you.
You’ve got the emails: ‘Don’t let this be goodbye’; ‘Let’s stay friends’; ‘Please stay in touch!’. But this time, they’re not from a desperate ex. They’re the newsletters, promotions and marketing services you’ve had an inbox-based relationship with for months (or even years).
If you’ve opened any of the messages, you’re probably familiar with the idea of General Data Protection Regulation, or GDPR – Europe’s new guidelines on data privacy.
Just a few years ago, the idea of data protection hardly ever made the headlines. But now, the concept comes up regularly, most famously in relation to Facebook’s Cambridge Analytica scandal. (If you took a Facebook quiz about which Disney princess you are, or did almost anything else on the social network, sneaky actors likely scraped your profile, stole your data and sold it to political lobby groups without your permission. You can find out if you were targeted here).
Even though experts warned us our data was being used this way for years, Facebook finally got caught in the act and deployed its CEO, Mark Zuckerburg, on an international apology tour.
While everyone’s enjoyed watching the tech billionaire squirm in front of a wall of cameras, the biggest takeaway seemed to be an entrenched sense of horror after learning how much – or little – the majority of elected officials know about the digital spaces that have radically changed the way we live, work and play.
US Senator Orrin Hatch (R-UT), 84, spent his allotted time at the hearing asking about Facebook’s basic business model – the very thing they were there to regulate. “So, how do you sustain a business model in which users don’t pay for your service?,” asked Hatch. “Senator, we run ads,” Zuckerberg responded, barely containing a laugh. “I see,” Hatch replied. “That’s great.”
Others took the opportunity to marvel at the very concept of a social network and boast about their friend list. “I’ve got 4,900 friends on my Facebook page. I delete the haters and save room for family members and true friends on my personal page,” Senator Thom Tillis (R-NC), 57, told Zuckerberg. “I’m a proud member of Facebook, just got a post from my sister on this being National Sibling Day.”
While the spectacle was disturbing (and not unlike teaching your grandparents about the internet), many of us don’t understand the very real implications of the tech we’re using every day.
And while Zuckerberg’s public apology tour wrapped up, there are still very real problems with the ways companies use and collect our data – and very few people are actually convinced that the biggest, richest and most powerful profit-motivated companies in the world are suddenly going to give up on their business model (selling your data) and respect your privacy simply because it’s the right thing to do.
Stateside, the data drama hasn’t yet led to any enforceable action or change in the law. (The land of the free famously favours the free market and is resistant to regulate when something’s making bucket loads of money). In Europe, politicians have turned to their version of standard operating procedure – creating a set of bureaucratic regulations. And so enters GDPR, the most immediate effect of which has been an onslaught of desperate emails. So what’s it all about, and what does it really mean for you? We’ve got the answers to your most frequently asked GDPR questions.
Your name, email address, date of birth, passport number, bank details, social network posts, medical information, computer IP address and, under some circumstances, images of your face and information about your relatives.
GDPR has switched the script on something called ‘assumed opt-in’. Going forward, if a company wants to spam you with promotions and news, you have to explicitly click to opt-in to their marketing materials – before GDPR, you had to click to opt-out. It may seem like a small distinction, but it’s based on ‘nudge theory’, a Nobel economics prize-winning concept that assumes humans are kind of lazy and basically go along with the path of least resistance. In France and Spain, legislators applied the theory to organ donation forms. (Rather than asking people if they’d like to opt-in to donating their organs to science when they died, they asked if people would like to opt-out and not donate.) Rates of organ donation skyrocketed, potentially saving thousands of lives. Thanks to GDPR, you’ll be saved from all those annoying emails you never wanted in the first place.
You’re probably still tempted take a quiz to ‘Find Out What Your Horoscope Says About Your Personality’. But does that mean you’ve got to sign away your life history? Not anymore! If your personal data is being processed for direct marketing, you’ll be able to prohibit this kind of data usage thanks to GDPR.
However, if you’ve explicitly consented to your personal data being used for ads in the past (you clicked ‘yes’ on a pop-up you probably didn’t read), then apps and others can continue to do so. Check your privacy settings to learn about what you’ve consented to and adjust accordingly.
No. With GDPR, services are required to explain how they’ll use your data and ask you to explicitly consent.
Yes. With GDPR, organisations are required to tell you how you can quit and demand your information be removed. They’re also legally required to respond within a month.
Yes. With GDPR you have the right to request your existing data profile, as well as the various ways a company is using your data. The service is free, but companies are allowed to charge a ‘reasonable fee’ based on any administrative costs they incur if you ask them to send it more than once.
GDPR requires organisations to report certain types of data breaches within 72 hours. If individuals are also put at significant risk (there was private data about them in your work database, for example), they must also be informed. Failing to do so can result in a fine of up to 20 million euros (£17.5m; $23.4m) or 4% of the organisation’s annual global turnover – whichever is greater. The penalty for delayed reporting alone tops out at 10 million euros or 2% of global turnover.
GDPR gives you the right to ask for the details involved in the algorithm’s decision if you didn’t consent to its use in advance, and gives the right to ask a human to reconsider the choice. If you didn’t know that organisations were using artificial intelligence to screen for jobs, read our explainer on the real-world impact AI is already having on your life.
For a deep look at how digital disruption is affecting our lives and what we can do about it, read our feature ‘The People vs Tech’: Can We Save Democracy from the Internet?.