By now most EU citizens will have heard of GDPR, even if they do not know a lot of details about the new law. GDPR, or the General Data Protection Regulations, were introduced on the 25th May 2018 after a two-year grace period. After this date, all organisations to whom GDPR applies were expected to be fully compliant with the regulation. All employees were expected to be thoroughly trained on GDPR compliance and adopting the regulations in the workplace.
GDPR puts an emphasis on individual privacy, awarding “data subjects” (the people to whom the data pertains) a number of rights. The goal of these rights was to ensure that individuals had agency over their own data and how that data was to be used. The main rights can be summarised below:
- Right to access: All data subjects have the right to obtain copies of their data.
- Right to rectify: Data subjects may request to change details in their data file if they are incorrect.
- Right to object: Data subjects may prevent controllers or processors from using their data in specific ways.
- Right to restrict processing: Data subjects may request that their data is not processed further.
- Right to erasure: Data subjects can request that their personal data is erased by controllers without undue delay.
- Right to data portability: Data subjects can request copies of their data in convenient formats.
- Right to complain: Data subjects may lodge a complaint with a relevant authority in their country of residence if they feel their data is being mishandled.
- Right to judicial remedy: If a data subject wishes to prosecute for misuse of data or other GDPR regulations, they may seek a judicial remedy.
- Right to receive compensation: Data subjects have the right to receive compensation for material or non-material damage caused by GDPR violations.
- Right to representation: The data subject has the right to be represented when lodging complaints or seeking compensation for GDPR-related issues.
- Right to be informed: The data subject must be given information at the time of data collection regarding the intended use of the data, how long it will be held and any other relevant details regarding data processing.
These rights are awarded to all EU citizens as part of GDPR’s mandate. GDPR applies to all organizations working inside the EU, as well as to organizations based outside of the union as long as they handle the data of EU citizens. This, again, demonstrates the emphasis the EU puts on its citizens’ data rights.
There are a few exceptions to the general data privacy rule. If a data relates to issues of national security, the prosecution of a crime, public health threats or is part of a request for freedom of information, data may no longer be treated strictly as “private data”. This does not mean it will be freely and publicly disclosed, but rather it will be used by individuals for research or to complete a task related to one of the above areas.