Data rights according to next year's EU policies
With less than a year before the General Data Protection Regulations go into full effect, the clock is ticking.
The GDPR are a collection of regulations to protect European Union citizens across the web. If your website gathers any user information — and can be accessed by anyone in the EU — then your company is at risk of violating the laws. Violations are subject to exorbitant fines, so it is in your best interest to know the upcoming rights of the EU citizens.
Protected data can include names, email addresses, demographic data, location data, economic data and so much more.
Below are the top four rights of EU users under the GDPR. This list is meant to give you a high-level overview. Hopefully, if the GDPR regulations affect your business, you have already begun the work. If not, it’s time to roll up your sleeves and get to it.
Condition for consent
Before you gather any data, you must receive explicit consent. “Explicit” is the key word here. Pre-ticking a checkbox, silence or any inactivity by the user to imply consent is a no-go. You need to force the user to interact with your site in some way to confirm consent. Furthermore, and for your own protection, you’ll want to have some sort of audit trail to prove you gathered this consent.
Right to access data
Users may request their information and also may request to learn how their data was accessed, where it was accessed, what categories of data are accessed and who has access. Failure to respond to requests in a “timely manner” will result in a violation.
Right to erasure
Users may request deletion of data at any time. This means deleting all of the data. If it has been distributed, any entity that controls the data must be notified to erase it without delay.
Right to rectification and objection to profiling
Users can request corrections to their data, or object to profiling all together. The user shall have the right to have incomplete personal data completed by providing a supplementary statement.
In some instances, a data officer could assist in this process, and may be a requirement if your business reaches a certain threshold. Even if your business does not require a data officer, we recommend a thorough evaluation of the user experience in collecting data and your back-end process for storing data.