GDPR – To erase or not to erase?
To erase or not to erase? To consent or not to consent?
The summer holidays are over and the traffic is back to normal. With life settling back into its usual rhythms, we find time to look ahead at some key issues on the horizon. One of the key discussion topics is the General Data Protection Regulation (GDPR) which is coming in to force on 25 May 2018.
You might ask, why did we need to change the current data protection legislation, Data Protection Act 1998 (DPA). GDPR has come about because of the evolution in the way we live our lives and the way we work. When the DPA came into force there were no smart phones, the internet was still very much provided by a modem making alien sounds as connected and cloud computing was a futuristic concept.
So why might you, as an individual (and most likely also a consumer) want to know about GDPR? Essentially because personal data is afforded greater protection by the GDPR. Personal data is requested, processed and occasionally sold by third parties, on a daily basis. Think about the information you provide when shopping online, coupled with the targeted advertising on the website you’re browsing and you can easily see that data is king.
Given the scope of the GDPR, it makes sense to highlight just a couple of themes which become law on 25 May 2018. The new ‘right of erasure’ which evolved as a result of the Google v Spain case. The European Court of Justice ruled that EU citizens have a right to request search firms such as Google, that gather personal information for profit to remove links to private information when asked, provided the information is no longer relevant. The right under GDPR mirrors this ruling to a certain extent and will allow individuals to require the erasure of their personal data without delay in certain situations, such as where consent is withdrawn and no other legal ground for processing the data applies. There is also an obligation for third parties to be informed that an erasure request has been made which would include deleting links to and/or copies of that data. Effectively no trace or footprint of the individual should remain.
Another step change under GDPR is consent. Your consent will need to be freely given, specific, informed and unambiguous. Pre-ticked tick boxes will be a thing of the past and the consent wording should be separate from other terms, and be in clear and plain language (i.e. it can’t be hidden in a 30 page set of terms and conditions). No doubt, you’ll have come across consent wording which was so contrived, you didn’t know whether you were giving your consent or indeed what you were consenting to. Your consent to the processing of your personal data must be as easy to withdraw as it is to give and consent must be “explicit” for sensitive data.
This is simply the tip of the GDPR iceberg and it will be interesting to see how an erasure request or a new consent process works in reality with the nuances that exist in real life scenarios.