The mighty and terrible GDPR

  “Privacy is not something that I’m merely entitled to, it’s an absolute prerequisite.
Marlon Brando

  In 2016, European Union accepted the General Data Protection Regulation, a.k.a. GDPR; thereupon everybody had 2 years for adaptation. However, who is doing everything on time? As you have probably noticed in May 2018, a bunch of services informed you about updating their privacy policy. GDPR has successfully operated for a few months already.

  Now just imagine for a minute, that ALL of your data is encrypted and saved in the cloud and YOU are the only one who can access it. Your account can synchronize with your personal computer, smartphone and tablet. For one to access the files, messages or emails will need additional consent from the owner. Even more strictly, the access to the data is limited for third parties and companies. One big red button shuts down the access for everyone. Social networks every time need to ask your concern to use your data for targeted ads. The price for personal data registers an increase: anyone who wants to share his data in public gets a solid money compensation.

  All of that should have happened on 25 May 2018 – the day when GDPR entered into force. Everything should have happened without someone to notice that, but because of human laziness and the complexity of the new principles, we’ve got what we’ve got – spammed mailboxes. Usually accompanied with the comment: “Well, never thought that companies own so much information about me”.

  The main principle of GDPR is not just responsible for processing the personal data, but also its correct storage, meaning that personal data MUST NOT be stored in plain, or sent to all the clients.

  It is not a very hard principle to respect, but sometimes, it might go wrong. A developer of an ad blocker plugin shot both his legs with success: he has sent an email about updating their privacy policy according to GDPR requirements to approximately 500 users, with their address written in plain text in the To field. Main principle broken with success!

  Source

  Let us dig a little bit deeper. GDPR’s main goal is to give users the opportunity to control who and how uses their personal data and to have the possibility in any moment to forbid the access to this data. Very often companies gather personal data to create better marketing strategies and most importantly, to make it specific – targeted for each user considering his interests and preferences. There is plenty of such information about each of us on internet: likes, visited web pages, even the way we move the mouse on the page. It is possible to gather data about an average user, like his age, sex, relationship status, work, consumer habits etc. If you would add to this list the geolocation monitoring, then the volume of information about each individual is frightening, especially when you think about its leakage. Even more frightening is the idea that user’s behaviour and decisions could be manipulated – we can recall here the case of Cambridge Analytica.

  A Cambridge study performed some time ago, revealed the fact that just 10 likes are enough to know a person better than his co-workers know him. On around 70 likes, there is enough info to know that person, as one of his close friends and 150 likes is enough to know him like his parents or siblings. If you think on that from the perspective of the user, the benefit in adopting the GDPR is obvious. Its main goal is to limit uncontrolled usage of personal data in commercial purposes, when the subject of that data does not have an idea about who, for what purpose and in what way uses the information about him, gathered on the Internet from different sources.

  «This Regulation applies to the processing of personal data of data subjects who are in the Union…».

  GDPR, Art. 3 (2).

  It is good to know that GDPR does not concern processing personal data of persons that are being located outside EU. At the same time processing of personal data for one who travels across EU, but might not be a citizen of a country that is a part of EU, is also covered by GDPR.

  Not always, the users need to be consented for usage of their data. For non-European companies, GDPR applies only for data used for marketing (offerings of goods or services) and monitoring the behaviour of users in Europe.

  «This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behavior as far as their behavior takes place within the Union.»

  GDPR, Art. 3 (2).

  When the data is used according to the agreement, user consent is not required. However, if some company would like to store this data, then the user’s consent will be needed.

  Supposing a company violates GDPR, the penalty will not be applied right away. Regulators from different EU countries just started working with the new law and they will provide a cautious attitude towards penalties. They are unlikely going to be in a hurry to apply the penalties; they would rather send at least a warning. The size of the penalties (described in art. 83) would actually vary in order to be effective; their main goal is not to kill the business, but to direct it to the right path. The amount of the penalties will be determined individually, taking in mind a large number of factors. A heavy penalty, that will cost the company a few millions could be applied if the company consciously and maliciously violated the rights of the subjects, hiding this carefully and gaining a high profit out of that.

  As it was said during a non-official meeting with the representatives of The European Commission, possibly several demonstration processes will be conducted on certain giant companies, so that in practice it becomes clearer what happens when one violates GDPR.

  That is a long story short, salted with my own thoughts and not only. Detailed information about GDPR you can find on the following link.

  Even though this article came out a little bit late, I really hope that it helped someone clear things up.

Share this article:

Alexandru Bezu
Java Developer