The EU Data Protection Day is an annual event on 28 January that is intended to promote privacy awareness for individuals in their private life and at work.
Data Protection Day may be a one-day event, but it’s principle aim, to promote awareness of data protection and the need to maintain good privacy practices, particularly when using on-line services, applies all year round.
There are some relatively simple steps an individual can follow to keep their information safe. First, do not overshare. This includes information that is shared with companies and what is posted on social media. It is important to consider who might see what you share, and how they could potentially misuse it.
Secondly, individuals should be aware of and take control of privacy settings on all their devices and accounts. This may, for example, include cookie permissions and apps. As a general rule, it is advisable to only give apps and services the permissions they need to function. Location data permissions, for example, should be given out sparingly.
Care should be exercised with passwords and logins. Strong passwords should always be used, and it is important to avoid using the same password for multiple accounts. One of the strongest ways of logging in is to use a phrase or sentence. Alternatively, a mix of numbers, letters, upper and lower case, and special characters is recommended. Obviously, remembering many complex passwords is difficult, so a password manager can be used to make life a little easier. Next, enable multiple factor authentication for your accounts whenever possible. And finally, never save your logins in your browser and log out after every use.
Common Myths & Facts
The General Data Protection Regulation (GDPR) completely changes the way organisations need to handle their data.
The EU has had data protection rules since 1995. The GDPR is not a completely brand new set of EU data protection rules. It’s an evolution of pre-existing rules, based on the strong data protection principles. In the UK, data protection law was introduced by the Data Protection Act 1998, and the GDPR and a new Data Protection Act 2018 ensure our data protection rules are fit for the digital age.
GDPR will stifle technical innovation, such as artificial intelligence (AI)
GDPR makes sure that personal data are protected in Artificial Intelligence (AI). The protection of personal data is a fundamental right in the EU, and applies also to processing of personal data through artificial intelligence. GDPR is technology neutral and is designed to allow the development of AI that is respectful of citizens and their rights. GDPR allows automated decision making where there is a justification either by a contract, explicit consent or a law, and provided safeguards for the individuals are applied, such as the right to receive meaningful information about the logic involved and the likely consequences for individuals of such processing.
Names of individuals cannot be displayed in public places
Consent is not the only legal basis for processing data. Common sense still applies in the field of data protection. For example, names do not have to be removed from doorbells or mailboxes. As well as consent, personal data can be processed where there is a “legitimate interest”, such as where people need to know who lives in a building to deliver parcels and letters.
GDPR is overwhelming for businesses
The obligations are not the same for all companies and organisations. The GDPR is not meant to overburden businesses. The obligations are calibrated to the size of the business and/or to the nature of the data being processed. Smaller companies, processing less data and not processing sensitive data, such as political views and sexual orientation, will have fewer obligations to follow. For example, not every company has to appoint a Data Protection Officer or carry out a data protection impact assessments.
GDPR only applies to European countries
Non-EU companies must comply with GDPR too. All companies operating in the EU market must comply with the new rules, no matter where they are based and where their data processing activities are taking place. All companies will be subject to the same sanctions if they break the rules. This creates a level playing field for both EU and non-EU companies.
Despite GDPR, companies simply ask for consent once and then they do what they want with my data
Companies must ask for consent a second time if they want to use your data for a second purpose. If personal data is collected from an individual based on consent (i.e. no other lawful reason exists), the organisation must make clear for what purpose the data is required. If the organisation subsequently wants to use the data for another purpose, or forward it to a third party, they must ask for the person’s consent again.
The fines under GDPR can kill a business
Breaking the rules doesn’t automatically mean a €20 million fine – warnings exist too. The GDPR establishes a range of penalties for those who break rules. As well as fines, there are other corrective measures like warnings, reprimands and orders to comply with data subject’s requests. The data protection supervisory authorities’ decision to impose fines must be proportionate and based on an assessment of all the circumstances of the individual case. If they decide to impose a fine, then €20 million or 4% of annual turnover is the absolute maximum amount. The amount of the fine depends on the circumstances in the individual case, including the gravity of the infringement or if the infringement was intentional or negligent.
The UK won’t be bound by GDPR after it leaves the EU
The UK is committed to the strong data protection laws. On 31 January 2020, the UK will enter a “transition” period under the EU-UK Withdrawal Agreement. During this time, the UK – although no longer part of the EU – will remain subject to EU laws, including the GDPR, and so UK data processing activities will remain largely unaffected. After that, it is envisaged that the EU and UK will agree the adequacy of UK data protection law and thus maintain a working relationship regarding data protection.