EU citizens finally control their data.
Why is it happening ?
Information, such as social security numbers, dates of birth, and names, will rarely change throughout a person's life. It is, therefore, dangerous that some companies, without the knowledge or consent of individuals, can sell an individual’s personal data or pass the data to other companies with little to no concerns about safety or the effects it can have on people's lives.
To counter the easy access to people's personal information, the European Parliament approved the General Data Protection Regulation (GDRP) back in 2016, which went into effect last year on the 25 May 2018. This Regulation contains a set of rules directly applicable to the member states’ legal orders, and it is mandatory for all types of businesses, companies and other entities, including non-profits and even public services of the member states.
The GDPR states that in the short term, companies are required to have legal reasoning to obtain data, not dissimilar from a contract; and or an express consent was given by the data subject. Likewise, people have the right to know who is processing what data and why. They have the right to access it, correct it and object to it, as well as the right to have it deleted and to be forgotten.
Why does it matter?
To comply with all the new rules and to prevent disrespect to the data subject reformed rights, all public and private entities will have to adapt, one way or another. The more sensitive the data is qualified under the GDRP, the more scrupulous the data processing procedures must be. Hospitals, for example, possess a lot of sensitive data - patient's medical records - and therefore will need to be assisted by a Data Protection Officer (DPO). That is someone whose job it is to ensure all the necessary mechanisms needed for a certain activity obey the new data protection rules and that there is a quick response system in case something fails, causing data leaks.
In Portugal, a Public Hospital was fined 400,000 euros by the Portuguese Data Protection Authority because non-medical staff had access to medical files. It is not just the occasional unwanted promotional email or text that are at stake. Situations like this one generate a high risk of data leaks, and those can have a great impact on people's lives.
Imagine being denied a bank loan or health insurance because of confidential medical information that no one other than the patient and his/her physician should possess. Unfortunately, almost one year after the (supposed) full implementation date of the GDRP - and 2 more years for preparations - most member states have yet to adapt their internal legislation accordingly. This is the main reason why Data Protection Authorities control and supervision role, needed to ensure a data protection awareness from both, individuals citizens and public/private entities, fails.
What can you do about it?
The European Commission seemed to realize that, ultimately, the member states lack of activity will have a negative impact on the companies and business and just recently has been trying to help to provide some guidance. Working Party 29, an entity with advisory status, issued crucial guides based on real problems and questions placed by companies and individual citizens.
Those guides aren’t just to help companies implement the regulation rules, they also explain what citizens have to do to better protect their data, and it’s up to them to learn how to protect themselves the best way possible.Although the EU aims for unified protection when it comes to people's data, a citizen's protection mechanism and the procedures available will ultimately depend on each States data protection laws.
Even though the GDRP does allow each State to adapt their data protection rules to a certain point, people will necessarily have at their disposal a report-like process to an independent data protection regulation authority, as well as the legal possibility to complain and demand justification for its actions directly to the companies. Nevertheless, there are ways that everyone can ensure where their data ends up and how it is used. Wondering whether the requested information is necessary for a certain action works well as a general filter.
Tiago Tavares is a contributor to The Intelligence Brief.