Explained: what the EU’s major new data protection rules mean for you

New data protection rules — the General Data Protection Regulation (GDPR) come into force in the EU in May.

Now Reading:

Explained: what the EU’s major new data protection rules mean for you

Text size Aa Aa

Having the right to be forgotten

The idea of a consumer having the right to be forgotten is nothing new — it’s already in existing EU legislation.

It came to prominence four years ago when the European Court of Justice ruled that Google must remove from its search results data that was no longer relevant about Spanish man Mario Costeja González.

So GDPR is not groundbreaking in this area. It just aims to provide more clarity on when and how consumers can ask for data to be erased.

For example users can ask a company to delete data it has on them if it no longer services the purpose for which it was collected.

So if you have a Facebook account and you close it down you can ask the social media giant to delete that data.

But it’s unclear how this will work in practice. Even if you close down your Facebook profile, a friend could still publish a photo of you. If you ask Facebook to delete this data, will they be able to oblige, especially if there are a large number of requests?

There are also important exceptions - Europeans will not have an absolute right to have all data on them erased.

If the data concerns freedom of expression or is in the public interest — for example a news article about an MP’s taxpayer-funded expenses — it might be tougher to get it erased.

More clarity on what you’re giving consent to

That’s the idea, anyway.

For example if you sign up for an online language course the college would only be able to use your data for this purpose.

It would not be able to sell your details onto third-party companies who might then use it to offer you other services.

GDPR asks websites to make it clear what the consumer is signing up for by using plain language.

This could spell the end of catch-all tick boxes that ask online users if they agree to the terms and conditions of a particular website.

Being told if your data is breached

At the moment if your e-mail account is hacked you’re likely to find out on the news.

But the new GDPR tells companies — in the cases of serious breaches — they have to tell their customers of a breach “without undue delay”.

Protection against 'the computer saying no’?

This provides consumers with protection if companies make choices — for example whether to grant credit or not — based on computers alone.

GDPR aims to give Europeans the right to demand a human reviews any of the automated "profiling" decisions.

More privacy from the start

This is about designing products and devices so that the concept of privacy is built-in from the outset.

For instance if Google brought out a new internet browser to replace Chrome it would have to ensure the default setting does not hoover up more data than it needs for operating as a tool to surf the web.

It would be the same for new technology. For example a fridge designed to be used as an Internet of Things device would have to protect personal data.

Your data should be easier to move around

GDPR allows consumers to get access to their data so that it can be used across different services.

For example you may decide that it would be more advantageous to switch to a more secure online e-mail provider.

In this case you could contact your existing supplier and ask them to supply all your contacts and messages sent and received, so that you can then transfer them over to your new email supplier.

It follows a scheme in the UK that allows banking customers to download data of their transactions and hand them to price comparison websites in order to help consumers find the best current account deal.

This article was written with the help of Diego Naranjo, from European Digital Rights, and Jon Baines, chairman of the UK's National Association of Data Protection Officers.