Understanding GDPR: A Comprehensive Guide to Your Digital Rights in the EU
Personal data is the cornerstone of the modern digital world. It’s how we shop, bank, and manage our personal lives. But with the rise of the digital world comes new challenges, too. The way companies use and share personal data has become increasingly common, giving hackers and spies easy access to sensitive information.
Introducing the General Data Protection Regulation (GDPR) for EU citizens meant a better way to safeguard data privacy. The regulation—which came into force in May 2018—gives people more control over how their personal information is used, whom it is shared with, and protects individuals’ right to privacy.
The GDPR is not just another set of regulations; It is a new era of privacy law that impacts how businesses, government agencies, and individual users operate. Consequently, data controllers and processors must be aware of their data subjects’ rights and personal information privacy under the GDPR to avoid penalties and penalties.
Following that summary, here’s what we will cover in this article:
- What is the General Data Protection Regulation (GDPR?
- Data controllers and data processors: Who are they?
- 3 steps to help you take control of your privacy
- 8 user rights to consider under the GDPR as an EU resident
- Creating GDPR compliant documents: how Inkit Render can help
What Is the General Data Protection Regulation (GDPR?
General Data Protection Regulation (GDPR) is a regulation that aims to harmonize data protection laws across the European Union (EU). It was implemented on 25th May 2018, after its earlier adoption on 14th April 2016.
The purpose of the GDPR is to give EU residents a higher degree of control over how businesses use their personal data.
It does this through new rights and obligations for data controllers and processors.
GDPR applies to companies operating in the EU—or those processing data of any EU citizen.
As such, GDPR compliance means that:
- You will have to provide transparency and disclosure about the purposes for which your company collects and uses personal data.
- You need to obtain specific consent from an individual when they are asked to provide information, and you will have to maintain records of all processing activities.
- You also need to create policies that outline what happens if someone decides they want their data deleted.
This way, EU residents can rest assured that their data is well-governed and is subject to privacy rights.
What is personal data under GDPR?
Under the EU GDPR article 4 section (i), personal data is defined as:
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
In simple terms, this means any information related to an individual that can be used to identify them.
The data is classified as either sensitive or non-sensitive.
Here’s the difference between sensitive and non-sensitive GDPR data:
- Sensitive data – Any information that can be used to identify an individual, including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data that can be used in unique identification, and more.
- Non-sensitive information – This includes details such as name, address, phone number, and email address.
The type of personal data determines which rights an individual has.
For example, individuals have a greater right to access their sensitive personal data than their non-sensitive personal data.
Now, let’s take a look at data controllers and processors.
Data Controllers and Data Processors: Who Are They?
Data controllers are the entities that determine why, when, where, and how to use personal data. These entities can be a person or individual, a government, or even an organization.
Data processors, on the other hand, are entities that process data on behalf of those data controllers.
Both data controllers and processors play distinct roles and have different responsibilities.
As such, it’s always important to identify the role of each to help you protect your data.
What does GDPR mean to you as the data controller?
One of the new rights that EU residents have is the right to access their data.
You are considered the data controller, which means you are responsible for determining when and how you share an EU resident’s personal data.
GDPR also gives EU residents a right to rectification.
If a person’s data is inaccurate or incomplete, they have the right to request that the error be fixed. If your organization has collected or processed any personal data from an EU resident, you must tell them about their rights under GDPR.
In many cases, people will want their personal data erased. However, under GDPR, this isn’t as straightforward as it sounds because there is no concept of “deletion” in the regulation.
The regulation says that personal information must be deleted “without undue delay,” and specific safeguards must be put in place to protect any residual copies of the information stored on backups and other systems.
GDPR also gives EU residents the right to object to processing their personal data for direct marketing purposes, either with or without compelling them to provide reasons for doing so.
If someone objects, you can’t continue with your digital marketing campaign unless they change their mind (or withdraw their objection).
Different kinds of data covered under GDPR
As mentioned above, GDPR covers a wide range of different types of personal data.
The law applies to everything from an individual’s name and photo to their home address, phone number, email address, genetic information, or a computer IP address.
In addition, GDPR doesn’t just cover the obvious personal data; it also includes online identifiers like an individual’s IP address or location history.
How Can You Take Control of Your Privacy? Here Are 3 Steps to Help You
While GDPR will protect your data and how it is used, you also have control over how you share your information.
Here are a few steps you can take into consideration if you want to take control of your private data:
#1. Improve your awareness
Remember that a privacy policy is not the law. So, many companies will have one, but it might not be very comprehensive or clear.
If you don’t understand what is in the privacy policy or the information the company is collecting, you might not have the complete picture of your privacy rights.
Try to find the company’s privacy policy and read it. If possible, print it out or save a copy in case their website goes down, and you need a record.
#2. Manage your privacy and data settings
People have many different privacy settings on many websites and might not know what they are.
For example, when you sign up for certain services, you are often given the option to manage your privacy settings. Alternatively, when you enter a website, you might be prompted to agree to a prompt about your privacy or cookies.
Make sure you understand what information the company has collected and what rights you have to manage your privacy.
#3. Explore alternatives
If you want to get serious about privacy, you can consider using a service like PGP (email encryption) or VPNs (virtual private networks).
These services encrypt your emails so that if someone intercepts your emails, they can’t read them. The service will usually also offer end-to-end encryption, which means your messages are stored on a server that no one other than the sender and the recipient can access.
Let’s now explore the rights that EU residents have under GDPR.
8 User Rights to Consider Under the GDPR as an EU Resident
Under the GDPR, an EU resident has eight specific user rights. They are as follows:
Right to be informed
The right to be informed promotes transparency regarding how companies collect data.
This regulation holds that EU residents have the right to get information about how their data is processed and to demand that a company corrects or deletes the information. The company must respond to such a request within one month. If the company refuses, the EU resident can file a complaint with the regulator.
Learn more here about this act.
Right to access
The GDPR gives EU residents the right to request details about the data that companies hold about them. This includes the company’s data, how it is stored, and who has access to it.
EU residents can also ask for copies of their data. The GDPR requires companies to respond to such requests within one month. If the company refuses, the EU resident can file a complaint with the regulator.
Right to restriction of processing
When a company processes an EU resident’s data, it must comply with the restriction of the processing rule. This means that the company may only process the data for specific purposes. For example, a company may only store a customer’s data to service that customer’s purchase.
If the company violates this rule, the EU resident has the right to demand that the company corrects the violation. If the company refuses, the EU resident can file a complaint with the regulator.
The restriction of processing rule is also meant to protect an EU resident’s data from being hacked or breached. If a company improperly breaches this rule, the EU resident can file a complaint with the regulator.
Right to data portability
When a company stores data on its customers, the customers have the right to move their data to another company. This right is commonly known as data portability. While EU residents can take advantage of this right, they can’t force companies to offer it.
According to Art. 20 of the GDPR, data portability means that a company doesn’t have ownership of the data it holds on a customer. The company just stores the data and provides the service of using it. The data should be movable when the customer wants to switch service providers.
GDPR right to object
Right to object is found under Art. 21 of the GDPR.
It states that, on relevant grounds, an individual has the right to object to how their data is being processed. This could even include profiling.
If you are receiving marketing communications relevant to your purchase profile and if the GDPR applies to you, you can demand that the company stop sending you marketing communications.
If the company doesn’t agree, the EU resident can object to the company’s practices.
Right to avoid automated decision-making
GDPR prohibits a company from making automated decisions based on an EU resident’s data without explicit, affirmative consent. To comply with this rule, the company must provide a user with a clear, specific, and voluntary indication of the user’s consent.
The GDPR applies to any automated decisions made by a company. If you receive an email that triggers a decision, the GDPR applies.
The right to rectification
The right to rectification allows you to ask an entity to correct any errors in your data. For example, a travel site should be able to update the data about you and the dates you booked your trip. A case in point is Delta Airlines. Per the company’s policy, users can correct or update previously submitted information for marketing and accuracy.
In some respects, this right is the same as the right to data portability or the right to be forgotten. When you sign up with a website or receive a communication, the company will often ask if you want to receive updates from the company.
You should be able to say no to these emails, and you should be able to do so easily.
Right to erasure (Right to be forgotten)
The right to erasure is similar to the right to restriction of processing, but instead, it allows you to ask an entity to delete your data. This right exists in some jurisdictions but not all of Europe. The idea is that if you no longer want your data, then you should be able to ask for it to be removed.
In connection, it can also be linked to the right to be forgotten, loosely translated as the right to go “invisible.” This means you can ask an internet service provider, or other entity with your data, to delete your data. While we have listed 8 GDPR rights, it is important to note that there are over 12 GDPR rights. Click here (GDPR rights) to learn more.