The GDPR or General Data Protection Regulation is an evolution in information protection that was agreed upon by the European Parliament and Council in 2016. It replaces the 1995 Data Protection Directive. It is a law that demands the companies to be more accountable regarding the uses of the personal records of EU citizens. It adds to the rights of the existing individuals of the UK and EU. This regulation puts an obligation on the companies to recognize the risks that they pose for the individuals and to make sure they are justifying them. In short, it is a progression of personal data protection. Though effective from 25th May 2018, the groundwork for this law was already primed up for last two decades. It works on the principles of transparency, fairness, accuracy, security, and respect of the individual’s data that an organization wishes to process.
Why Did the Companies Send These Emails?
The purpose of those emails is basically to ask the EU customers to renew their informed consent for further marketing communications and data processing. Because under GDPR no organization can process the individuals’ personal data without an explicit consent unless there is a legal basis. The consent needs to be specific, freely-given in plain words or an explicit affirmation by the individual. While a valid GDPR-complying consent helps to build up customer engagement and trust and to put individuals more in control, invalid consent can ruin faith and even harm the reputation of your business.
General Data Protection Regulation
If you deal with personal information of people living in European Union, or if your business is based in there, then you are likely to get affected by GDPR. Hence, you too need to obtain consent from your customers. The consent has to be unambiguous, specific, freely-given, and informed.
GDPR has introduced specific changes to the existing Protection Directive to improve the way businesses deal with the personal information. Now, people are in power to demand businesses to reveal or challenge the data they hold. It offers a chance for the individuals to review their data and accordingly give consent to the companies for processing them. Even, they can withdraw their consent. Under GDPR, the consent must be an opt-in option and does not allow pre-ticked opt-in boxes. It should also be separated from other terms and conditions and should not be linked to having to sign up for a service.
Measures Taken for Individuals’ Data Protection
To demonstrate that the business meets the principles of information protection, i.e., responsibility and accountability. Such measures include data protection by design and default and pseudonymisation.
Protection by Design and by Default
It requires the business to incorporate data protecting designs while developing the business processes for services and goods. For this, the privacy settings should be set at the highest level, and the database processor should take procedural measures that the entire processing cycle complies with GDPR.
It is a method to alter the personal data in such a way that the end data recognized to without extra information. It is recommended for reducing the data subjects’ risks while allowing the data processors to fulfill their data protection obligations.
In both the measures, the databases owners have the records encryption and decryption keys with them.
Improvement in Individuals’ Right
GDPR is a directive meant for the protection of the citizens of the UK and across EU. While it enforces data protection regulatory requirements on the business, it has also granted certain rights to the individuals:
Right to Access
According to GDPR, people have the right to access their information and also seek to know how the businesses are processing their databases. On such request, the businesses are bound to provide an overview of where the information is being used along with a copy of the actual records.
Right to Erasure
The new regulation has replaced the prevailing ‘Right to be Forgotten’ with Right to Erasure. Now, data owners have right to request deletion of their personal data (including those that are significant to regulatory agreement).
GDPR and Gambling Regulation
Both ICO (Information Commissioner’s Office and Gambling Commission are aware that use of personal information is vital for tackling issues like gambling-associated offenses, problem gambling. According to ICO, GDPR is not meant to avert companies from taking any step that is obligatory in the public interest to stay in compliance with the regulatory requirements for obtaining a license.
GDPR cannot be used as an excuse for not taking steps that lets the organization stay in compliance with license requirements, promote licensing purposes or responsible gambling. ICO would, however, offer assistance and support to help the business to execute with the authoritarian framework and GDPR.
The introduction to the effective date of GDPR piloted many to alter their privacy policies to adapt to the new requirements. While doing so, they have ended up in sending an endless number of emails, messages, on-site notifications despite having two years for preparation. It has been widely criticized as it has been causing unnecessary fatigue among the database owners. Some emails have wrongly asserted that the consent has to be taken on the effective of GDPR. In reality, prior consent would also work as long as it is well-documented and is in compliance with the GDPR requirements. Most of the phishing emails are a falsified version of the emails. There is nothing to panic, GDPR is just an obligation for the individuals, and there is time for getting it done. It grants you with more rights to better control the usage of your personal information. Decide if you want to give consent to the businesses for processing your information or not, or do you want to erase it. After all, it is your consent!