Given the recent developments over the massive misuse of online data, it was only natural for citizens to feel concerned and be even anxious over the control of their data by businesses.
The opt- out system for example – part of the mechanisms that were employed for data collection – was an automatically driven process that enabled companies to gather data with the user almost sleepwalking through the process. The scale of data collected was huge and people could not comprehend why such was necessary at all.
The GDPR plans to plug in that and other similar loopholes that caused users to feel cheated about how and where their personal data was being collected and used.
Personal data is meant to be personal. The correlation and processing of data could become uncontrolled and could scale to a level where it could be used for unethical and inappropriate doings fraud, manipulation etc., if legislation was not enforced to put some brakes on.
With the GDPR, the government has addressed some serious concerns. The idea behind GDPR and the £20 million fine for non-compliance is to enforce, reclaim and restore the following rights and privileges of online users.
Till now, the terms for use of a site were presented in the fine print form likely to be in a tiny corner somewhere. Deliberate or not, this lead to a lot of hidden data collection where the uses were not even aware that any such collection was in place.
As a default, the privacy of the user needs to be set to the highest level and not otherwise.
2. Consent for data collection should be a careful consideration of the user
Many sites had an automatic mechanism of data collection. Often if you visited a site, you would find yourself auto-subscribed to its mailing list. This is because of they used pre-checked tick box strategy that works on the principle of ‘opting-out’.
Users did not bother to check the defaults and ended up being ‘manipulated’ into giving their details
Now, clear user consent will be required to collect any data. Rather than an opt out approach, each site would require explicit and active opt –in system where the user decides to do so based on the information given to them and his careful consideration of the choices he has.
As a consumer, one can expect a lot more control of data through this active consent approach because data will need to be channelized through the user himself.
3. Personal data is the ownership of the user
Before the GDPR the concept of data storage was mostly as ‘silos’ or ‘walled gardens’ where data was vendor specific. It was unavailable to the user in any comprehensible form other than some analytics.
GDPR comes with the right to data portability. Data will have to become handy and be downloadable into a smart form. This means users can access the data at their will, can understand it and can also transfer or move the contents across multiple vendors, depending upon who they trust or not.
When users can move or copy data across controllers, it gives them more power over their data and the purpose of its use.
4. Privacy is a fundamental right of every individual
The right to deletion has been in existence in a smaller purview on sites like Google. It gave users the right to request for deletion of their personal data if they felt it had no reason to be collected and stored.
GDPR has initiated a more strict provision called the ‘Right to be Forgotten’. With this right in place, a user can now request complete erasure of all data associated with his account.
Along with the data portability right, this can be a powerful tool to make sure that discord between users and businesses can be avoided in the context of privacy.
This is a reassurance to the users that they would not become mere data subjects whose identity and activity is monitored and captured to enable business profits only.
The ‘right to be forgotten’ also demonstrates how positive principles and interventions can be applied in the noble relation of the business and the consumer.
5. Identify and rectify any breach with due notification to the users as well as the authorities.
According to the GDPR, any breach of data is to be considered significant. it should be notified to the authorities without any delay. At the same time, the affected uses should also be alerted and corrective measures should be taken to prevent further damage.
Conclusion – The way ahead
While there are grey areas in the legislation at present, yet the interests of the citizens have largely been addressed through the GDPR. It is a corrective first step and might need improvement along the way, but the principles have been laid out clearly and strictly enough to deter much non-compliance.
While the GDPR will improve transparency and give more control to users, what remains to be seen, is how well citizens themselves are able to exercise their rights within the premise of GDPR.
Also, whether GDPR can work out as a sustainable framework that can improve transparency without hindering the growth of technology itself.