Irish 6-Month grace period coming to an end
On the 5th October 2020 the 6-month grace period the Irish DPC gave for websites and apps to become compliant with the Irish…
Read MoreIn-depth blogs, how-tos and compliance strategies on privacy laws and guidelines
The whole idea behind data protection is to protect a data subjects rights. The data protection laws are based on our Human Rights and our right to privacy. The data protection rights have evolved with the growth of our technical development and use of the world wide web.
The ‘internet of things’ has increased the use of our personal data 10 fold. Every day we are sharing our personal data in some way or another, from being asked for our email address for a receipt to cookies being uploaded to our devices every time we visit a website.
Money made the world go round 10 years ago, now it is data. Your information is gold to organisation who want to sell you their product. Organisation will pay for your information from other organisation who specialise in scraping the net for data. Yes, that is a thing.
So the General Data Protection Regulation or as you know it GDPR gives us eight rights, which we can enforce whenever we like and how many time as we like. Any new Data Protection Law is now based on the GDPR and will in the main mirror the Principles and Rights of GDPR.
The right to be informed, the right of data access, the right to rectification, the right to erasure (right to be forgotten), the right to restrict processing, the right of data portability, the right to object and rights relating to automated decision-making and profiling.
Some laws exclude certain rights and others add some more, like the California Consumer Privacy Act CCPA. In California data subjects have the right for their data NOT to be sold, so website owners or organisations offering good into California have to allow for site users to let the site owner know that they cannot sell their data.
The main data protection right we all know about is your right to access, but there are seven more equally as important.
Let me explain them to you (the articles mentioned are all from the GDPR).
What it means to you:
Well, look at most websites, at the bottom of the page and you will find Privacy Notice or Policy. When you select this you should get a document with all the information you need about what the company does with your data. It should tell you how the collect it, what they do with it, who they share it with, where they store it, how long they keep it, how they dispose of it. They should also remind you of your rights, what the process is for you to get access to your data, who to complain to if you are not happy and who the Data Protection Office or main point of contact is. Wow that’s a lot of information.
(Article 15)
Anybody can ask an organisation if they have personal data concerning them and if so the individuals are entitled to obtain from the organisation (among other things):
What that means for any organisation (this means companies, retail outlets, online stores, clubs, charities, any company or individual that records your data for a given purpose):
This is your right to get whatever information the company holds about you. It is important to note that you can only get YOUR data, not anyone else or any other information that is not deemed to be about you. Ex-employees mostly use this, especially if they have been dismissed for some reason, they think there might be some information about them that will get them some form of retribution against the company, 9 times out of 10, there is not.
The is free as long as it is not excessive or unfounded, then companies can charge a ‘reasonable admin fee’. In most countries the company has one month to reply to your request, although they can extend the time by a further two months if it is a complex request.
(Article 16)
What that means to you:
This rights allows you to change any information the company has about you if it is inaccurate or incomplete.
(Article 17)
What that means to you:
Now, people think that they can get companies to delete all their information by just asking. You can, if the company has no other legal reason to hold your information. An ex-employee cannot ask a previous employer to delete all their data, the employer can legally keep the information for a number of lawful reasons. If they do not have a lawful reason to keep it, then they must delete you information.
If you enforce this right, the company should tell you why they cannot comply with your request and what lawful reason they have to keep it.
What that means to you:
This is used when you allow a company to have your information but you don’t want them doing a particular thing with it. For example, you have a gym membership, you allow the processing of your data, sometimes by consent others the gym will have a legal basis to have and process it. You do not want marketing material from the gym, so you have restricted what they can do with it.
(Article 20)
What this means for your SME:
The easiest way I can explain this is when you ‘Port’ you mobile number to another mobile network provider. You are asking the old provider to send all your information to the new provider, so you are using your right to data portability. If you change a gym membership to another gym, you can ask the old gym to send you information to the new one, again data portability.
(Article 21)
What this means for your SME:
Right, you get an annoying email from a company you have never heard of asking you to buy new windows.. you unsubscribe from their data base, this is objecting to processing your data. That company cannot send you any more emails, if they do, they are in breach of the law.
(Article 22)
What this means for your SME:
The best example of the is getting a credit check on you when you want a load or get a new TV on hire purchase. If the check come back against you and you cannot get your loan or TV, you can insist on a person to make the decision and not a computer. Also for profiling, if you hold a store loyalty card, they collect all sorts of data about you and can send you information purely based on your shopping. This is profiling you, you can object to this and they have to stop doing it.
CookieScan is the first cookie management system pop-up that has included your data protection rights. From the pop-up website site owners can now access the ‘request you data privacy rights’ section and directly request one of their data protection rights to the website owners. Any of the above eights rights, plus you right not to sell your data is available. Once you complete the small questionnaire and submit your request, you will receive a verification email. Once your email has been verified, your request is sent to the website owner for them to process.
They might contact you directly for more information, but at least it will get the ball rolling. If for example you request access to your data, the website owner will invoke their own process and contact you directly to get more information about what it is you are after.
CookieScan not only looks after your total cookie compliance, it now help you with parts of your data protection compliance. By having this on your website, you will show your potential customers how seriously you take data protection and protecting their data, more importantly.
Related articles:
Begin your journey to cookie compliance with our easy-to-follow guides.
On the 5th October 2020 the 6-month grace period the Irish DPC gave for websites and apps to become compliant with the Irish…
Read MoreIf we start with what a cookie is and what cookies are used for; A computer “cookie” is more formally…
Read MoreIrish website owners and operators have been warned by the Irish Data Protection Commission (DPC) that they could face enforcement…
Read More