In the past, we’ve explained what GDPR is and how it is changing the way companies look after and store your data. It came into force on 25th May, empowering EU citizens to take control of their data, and dictating how, where and which information about them is shared. For businesses found breaking the rules, they could be fined up to €20 million or 4% of the company’s global annual turnover, whichever is higher.
Usually, the subject lines on these emails read “The law has changed”, “Please read and accept our updated T&Cs” or “Tell us if you’d like to continue hearing from us”. They will explain, without jargon, how they store your data and what they use it for and offer you the option to accept or decline. With popular social media sites like Facebook or Twitter, they often allow you to edit specific privacy settings and restrict which information about you is shared.
If you decline or ignore the email, the company is no longer able to contact you. However, this does not mean that your data will be erased. For this to happen, you need to enact your “right to be forgotten” or “right to erasure” which compels the business to delete your personal data upon request. If you’re unsure about which information a company holds on you, it’s also within your right to contact them and ask them to disclose what they have, including how they got it and what it’s used for. Once you’ve requested this, the company needs to disclose this information with you within 30 days.
It is worth noting that this is not an absolute requirement and subjects do not have an unconditional right to be ‘forgotten’. If there are other legitimate, legal reasons for the organization to retain and process data, subjects are not entitled to be forgotten. This could if information is commercially sensitive or damaging. However, exceptions are few compared to the multitude of data uses common in our daily lives.
You are also able to retroactively restrict your information. So, if you decide at first that you’re happy for an organization to keep hold of your data, but later decide that you’re not you can rescind your consent and ask them to stop contacting you.
GDPR is revolutionizing data protection and privacy, and in this climate of cybercrime and fraud, it’s a big step towards universal digital security.
Do you have a question about GDPR you’d like answered? Comment below or tweet us @JustAskGemalto