Society doesn’t tend to agree on much, but late last week hundreds of millions of people were united by the question: “What’s with all these emails about updated privacy policies?”
The flurry of messages led to many jokes and memes, but lost among the humour was the reason for this torrent of emails. It wasn’t just an amazing coincidence that every organisation you’ve ever visited updated its terms within the same one-week span. Rather, the messages were a requirement of the EU General Data Protection Regulation (GDPR), a strict new law designed to strengthen EU residents’ rights and freedoms concerning their personal data.
This blog goes beyond the memes, explaining why you’ve received all these emails and what you should do with them.
What is the GDPR?
The GDPR has three main aims:
- To ensure that organisations keep personal data only if there’s a legitimate reason to do so, and remove the data when it no longer meets that purpose.
- To ensure that organisations put appropriate measures in place to stay secure.
- To allow individuals to query and contest the personal data that an organisation holds. In some circumstances, individuals can request that organisations restrict, correct or delete their personal data.
These aims are all geared towards giving individuals more confidence when sharing personal data with organisations. Many people have noted the inauspicious start to the GDPR, given that it is directly responsible for an influx of spam, but this is a short-term loss for a long-term gain. And unlike traditional spam, there is something to be gained from these emails.
Organisations were required to contact you for one purpose: to let you know that they hold your personal data, and give you the option to receive a copy of that information.
The way you respond to each organisation will depend on how you reacted to hearing from them. For the sake of simplicity, we’ve split this into two scenarios.
The first scenario involves emails from organisations that you interact with regularly. You probably would have expected to hear from these companies, and you’ll have a good idea of what information they have and what they use it for. This makes reviewing their privacy policies straightforward. All you need to do is confirm that the information is correct and that it serves a valid purpose. The GDPR requires that policies are written in clear language and broken into easily navigable chunks, so you won’t be trawling through hundreds of pages of terms and conditions.
Be sure to keep an eye out for any data that’s inaccurate or that seems unnecessary. You might question why, for example, a newsletter you subscribe to needs your date of birth or why an online gaming site needs your phone number. If anything like this crops up and the organisation doesn’t list a lawful basis for keeping the information, you should query it and ask for the data to be removed.
Neglecting to do this means you continue to leave a long trail of personal data on various organisations’ systems, increasing the likelihood of you being a victim of a data breach. This isn’t an obscure threat that you can assume probably won’t happen. Data breaches occur every day, and even though organisations are ultimately accountable for data protection, you can take massive strides to protect yourself by limiting the personal data you share. The GDPR gives you the opportunity to do this, and it’s up to you whether you take that opportunity.
GDPR in the workplace
The GDPR doesn’t only apply to consumers. Many people will have experienced the effects of the GDPR in their workplace. You will probably have attended (or be due to attend) a GDPR workshop and been given a new employment contract that reflects the Regulation’s requirements. Additionally, anyone who collects EU residents’ personal data as part of their job should be given specialist GDPR training.
If you are an employer who is yet to meet this requirement, you should take a look at our Certified GDPR Foundation Training Course.
This one-day course provides the perfect introduction to the Regulation and its requirements. It’s delivered by an experienced data protection practitioner, who will explain:
- The GDPR’s background and terminology;
- The six data protection principles;
- The role of data controllers and processors;
- Data subjects’ rights;
- How to secure personal data; and
- How to report data breaches.
The course is running in venues across Europe, and is suitable for directors or managers who want to understand how the GDPR affects their organisation, employees who are responsible for GDPR compliance, and those with a basic knowledge of data protection who want to develop their career.