GDPR: What Is It and How Does It Affect You?
Tips / 04.10.2018
A few years ago, you were most likely bombarded by emails from pretty much every site you use with headlines like “We’ve updated our privacy policy”. In all honesty, we don’t blame you if you simply disregarded them without giving them a second thought. Nobody likes to read boring legal texts, especially at home!
But have you ever been curious about just why so many sites decided to all of a sudden update their privacy policy and whether that change is at all beneficial to you?
Well, the truth is that the key to both of those answers lies in just four letters – “GDPR”.
TABLE OF CONTENTS
What Is GDPR?
To put it simply, GDPR stands for General Data Protection Regulation. In short, GDPR is a law that was passed by the EU (European Union) all the way back in 2016. This data protection law prides itself on being “the most important change in data privacy regulation in 20 years”.
As a result of this data protection regulation, companies serving EU clients or EU citizens can no longer just take whatever data they like, and then store or sell it any way they want.
Under Article 25 of the GDPR, a company has a legal obligation to only ever obtain the bare minimum of user data (with e-mail, phone number, address, health record, and even your name all falling under that definition) required to adequately fulfil the service that it provides.
For example, imagine that you sign up for a website that requires your phone number. If this sensitive information is not something that will be needed for things like logging in or 2-step verification, there’s a storage limitation that the website needs to adhere to.
Under data protection rules, the website must erase any irrelevant data that’s collected about the user.
While tighter controls over personal data collection and data processing are GDPR’s main goal, the regulation helps consumers in smaller ways too.
For instance, companies are required to notify affected clients within 72 hours in case of a data breach that may have compromised their information. If a company refuses, then they’ll be subject to strict warnings and GDPR fines from the EU itself.
What Impact Does GDPR Have On You?
So what does all of this mean for you as a consumer?
Ultimately, it means that you now have access to a total of eight fundamental rights as a consumer:
- Access: users have the right to request information about the data being collected, processed, and stored about them. Local companies and international organisations are required to send free copies of the data when requested.
- Information: website visitors should have knowledge about what their personal information will be used for and how it is collected as part of data protection measures.
- Data portability: users can decide to send information from one location to another, under certain circumstances and based on the type of business. Transfers must take place using a common format.
- Forget data: users also have the right to request that businesses delete their information by withdrawing consent. According to data privacy laws, once a user withdraws consent, the company can no longer use their data for marketing purposes.
- Objection: as a user, you can object to companies using your information and request for the process to stop. This can take place via email list unsubscriptions, calls, and other means.
- Restrict processing: at the same time, as part of data minimisation, users can request that a business stops processing their data but can still use existing information.
- Notification: all users who have agreed to their data being collected and processed, on a lawful basis, should be notified in case of data breaches within 72 hours, no matter whether the breach is large-scale or a minor issue.
- Rectification: users can request from a business that they update or correct personal data in order to have accurate information systems.
Being aware of all of these user rights can enable you to protect yourself on a legal basis. In case a business does not agree to take the organisational measures requested by you and implement appropriate security initiatives, they may face criminal convictions.
In addition, companies are obliged to process data securely using “appropriate technical and organisational measures”. This can mean asking employees to use two-factor authentication, end-to-end encryption, and more security features.
What Data Is Considered Personal Data?
So far, we’ve covered that GDPR affects all personal data relating to collection, storage, and processing.
But what classifies as such data in the first place? The answer lies in information that enables a user to be directly or indirectly identified.
Such personally identifiable types of data can be:
- Names;
- Email addresses;
- Location data;
- Ethnicity;
- Gender;
- Biometric data;
- Religious beliefs;
- Web cookies;
- Political opinions.
To fully understand how GDPR applies to companies, it’s key to be aware of a few more terminologies.
First, there’s data processing – any action performed on personal data, whether by manual or automated means. This includes the collection, storage, organisation, and other activities related to data. For instance, if a business performs regular and systematic monitoring of users via web cookies, this is considered data processing.
Under GDPR laws, all of the above-mentioned activities fall under the principles of purpose limitation.
On the other hand, a data subject is someone whose personal information is being collected, stored, or processed. Data subjects have certain rights under GDPR, which we mentioned above.
A data controller, in contrast, is the organisation that defines the purpose and means of personal data processing. This could be a public authority or public organisation that gathers information for public interest reasons. Data controllers must ensure that all data protection principles are adhered to, especially when sending information to third countries.
At the same time, a data processor is the party that handles the data processing on behalf of the data controller.
Despite the fact that processors act on behalf of controllers, they’re still obliged to follow GDPR rules. For instance, a processor involved in automated decision-making must guarantee transparency and fairness. Such companies must present how and what data is collected and processed using clear and plain language.
Finally, data portability is a principle that enables users to receive their personal information in a structured format, enabling easy transfer between providers.
What Will the Long-Term Effect Be?
GDPR laws are extremely important and have future implications. They’re expected to reshape global standards associated with data privacy and security, offering a benchmark for regulations around the world.
Companies, even those that operate outside the EU, are gradually adopting GDPR practices to strengthen trust and create loyal customers.
Given the technological advancements that are forecasted to take place in the future, expectations are that GDPR will continue adapting to the rising needs of different markets. The continuous innovation cycles are already prompting frequent GDPR changes and companies are often updating their privacy policies to adhere to these standards.
Why Is GDPR a Concern for Non-EU Companies?
GDPR’s implementation is a top concern for non-EU companies as they’re also obliged to operate under certain data security requirements when offering goods or services to EU residents. This means that if a company registered outside the EU and sells to EU countries must adhere to all rules that apply under GDPR.
Oftentimes, this poses challenges related to compliance costs, potential fines and penalties, data transfers, and more.
What We at myPOS Do
With all that in mind, a good question is: does this affect myPOS at all? And the short answer is yes, absolutely!
As a financial institution (one of the special categories), the law requires myPOS to collect and process data more than other organisations. If you’ve chosen to work with us, you may remember having to provide us with data like receipts, records of expenses and other pieces of information.
In accordance with GDPR obligations, we will not store any personal data you provide us with (for example, information on a receipt) that’s irrelevant to our inquiries. Whether you are using our solutions for receiving online payments or using a myPOS merchant account, we will only store data that is either necessary for our business relationship or mandated by a different regulation.
myPOS has always ensured to retain its clients’ privacy and delete all personal data soon after it ceases its function.
Furthermore, at myPOS (as a data processor) we are fully GDPR-compliant and even have a Data Protection Officer who ensures this is always the case.
While our intentions to continue doing so haven’t changed one bit (and wouldn’t have changed even if the GDPR implementation wasn’t a fact), the European parliament is now closely monitoring how we and other companies process data in EU member states, which is a big win for the average consumer. So you can rest assured your personal data is safe with us.
Check our privacy policy and if you have any additional questions regarding your personal data and how we ensure GDPR compliance at myPOS, we’d love to hear from you! You can contact us by e-mailing [email protected] and we will be happy to help you.