GENERAL DATA PROTECTION REGULATION (GDPR)
The EU’s GDPR came into effect on May 25, 2018, bringing great changes to how data protection is been implemented.
GDPR controls what companies do with personal data and gives users more control over how their personal data is collected and used, and forces companies to justify everything that they do with it.
GDPR was introduced because existing laws were written before smart phones started collecting massive amount of sensitive personal information for companies like Google, Facebook and the rest. So GDPR gives them guidelines of what they can and cannot do with personal information.
UNDERSTANDING WHAT IS PERSONAL DATA (GDPR)
According to NIST, any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or bio-metric records; and (2) any other information that is linked or link-able to an individual, such as medical, educational, financial, and employment information. But the GDPR definition takes it further: “any information relating to an identified or identifiable natural person” even IP or location data, sexual orientation and political opinions.
FROM A BUSINESS OWNER POINT OF VIEW.
You need to determine whether your organization is a Controller or a Processor. A controller is a company that collects personal data either through it’s website, app or other medium, and then decides what to do with it. A processor is a supplier that handles the data on behalf of the controller. As an example, a bank would be a controller and their mail agency would be a processor.
As a business or website owner, the GDPR obliges you to consider serious the data-related rights of EU residents. As such, you can think of the GDPR as a data BILL OF RIGHT for EU citizens in relation to their data. So the GDPR is uncompromisingly in favor of the end user as regards to their rights, which includes:
- The right to be informed.
- The right of access: organizations must provide individuals access to the data they hold on them without any charge.
- The right of rectification: if the data you hold on someone is incorrect, you must correct it and send that correction to any third parties with whom you shared the incorrect data.
- The right to erasure.
- The right to restrict processing: individuals control how and where organizations use their data.
- The right to data portability: individuals must be able to export their data in an open format, such as CSV.
- The right to object.
- The rights regarding automated decision making.
I will explain two of these rights in details.
Specifically, the GDPR obliges organizations to state very clearly how they plan to use personal data. They must communicate that information in a way that is:
- Clear, transparent, intelligible and easily accessible
- Written in simple and plain language and
- Free of charge
THE RIGHT TO ERASURE: This right is not absolute, but individuals can have the right to ask (not only) social media platform like Facebook to remove their personal information from their platform/website. EU residents can ask organizations to delete their data and prevent further processing of it. Ultimately, if an EU resident requests that an organization delete their data, then the organization’s default response should be deletion of that data.
You can read also how to permanently delete your files
Moving forward, I’m sure in years to come other nations including Nigeria will join the league of personal data protection regulators because if you talk about BIG DATA, Internet of Things (IoT), Artificial Intelligence (AI) and others, then end users must have better rights to their personal data, else there will be anarchy in the data-sphere; just like what we have in our telecom regulation as “DND” where customers are allowed to opt out of receiving promotional messages for 3rd Party services, before then telemarketers where just nuisance to our mobile life.