Tech & Rights

GDPR for dummies: What is it? Why do we need it? Why does personal data have to be protected?

Don’t really know what GDPR is and why it matters? We explain in simple and easy language why personal data has to be protected, what your rights are, and why this matters for democracy.

by Anna Ackermann

When you visit a website in the EU, the organisation behind it isn’t free to do whatever they want with your personal data. They have to follow certain rules and procedures known as General Data Protection Regulation (GDPR), which has been in place in the EU since 2018.

You may find GDPR annoying because you identify it with the cookie banners that spring up every time you visit a new website. We tend to agree on that with you. Cookie banners are annoying for users, and are surely not the best way to regulate the sharing of personal data -the EU should find a workable alternative.

But GDPR is about far more than cookie banners.

What is GDPR? Why do we need GDPR?

When we use the internet, a lot of our personal information may become available to those who want to snoop on us. This could include email addresses we need when logging in, our location, or what we type into search engines. This data can say a lot about us - what we like, and how it can be marketed to us - and is extremely valuable to companies that want us to buy their products. Without regulation, companies can use our data in ways that do not serve our best interests.

There are plenty of examples where this has happened already. In 2021 the LGBTQ* online dating platform Grindr allegedly sold (re)identifiable location data of the U.S. Catholic Church official Jeffrey Burril, which ended up in the hands of the editors of a catholic magazine. Based on the data obtained, they published a story alleging that he was a frequent visitor of gay clubs. Following the publicity Burril had to step down, and faced a firestorm of debates on celibacy and promiscuous homosexual behavior. While this fallout is bad enough, in other countries he could have gone to jail or even been killed.

Clear and precise regulations, as well as their enforcement, are needed to avoid similar outcomes happening to anyone whose enemies are rich (or savvy enough) to find and decipher the trace they have left online. Or, for that matter, the data they share in certain situations offline.

To protect our right to decide what we share with others, on 25 May 2018 the European Union brought into effect GDPR, which sets out new standards for privacy and data protection. It is based on a few basic principles outlined in the following table:

Lawfulness, fairness and transparency

Data processing has to be lawful, fair, and transparent to the data subject (yes, that is you).

Purpose limitation

When doing something with data all the purposes have to be declared beforehand.

Data minimization

Only data absolutely necessary to fulfill the specified purpose can be collected.

Accuracy

Personal data needs to be accurate.

Storage limitation

Data can only be stored as long as it is needed for the specified purpose.

Integrity and confidentiality

When data is processed, this has to be secure and the processor has to ensure that information doesn’t get into the wrong hands.

Accountability

The data controller must be able to show GDPR compliance for each step of the data processing.

What is personal data according to GDPR? Why is it so important to protect it?

The terminology used when discussing GDPR can be complex and off-putting. But don’t worry, this is GDPR for dummies - we will break it down for you, as well as explain why protecting personal data is important for democracy.

So what exactly is personal data? In the official GDPR regulation, personal data is defined as any information that relates to a natural person who can be identified by this information. This includes factors like gender, postal address, cultural or social identity. So far so good, right?

But why is it so important for democracies to protect personal data in official GDPR legislation?

First of all, your right to privacy is a basic right. In order to have a life of dignity, which we all deserve, you need to be able to freely make decisions about what to keep to yourself, and what to share with others. Even before the internet, your right to privacy needed protection from others who could use your information for their own purposes. But it was very difficult and costly to gather information, especially on a mass scale for significant parts of society.

As more and more activities are being digitized, data gathering has become increasingly easier. With 92% of EU households having internet access, we can safely conclude that almost all of us leave traces of ourselves on the internet, and based on those traces companies can infer what we like, what we are interested in, or what we fear. This may not sound alarming – but in fact can be very dangerous.

Support our work protecting your digital privacy Donate

Political targeting, in particular, poses a huge danger to democracies and free speech. If parties and candidates can simply buy information about how to influence your vote, this undermines the democratic process. This has nothing to do with a fair, accessible and equal election campaign. Donald Trump, for example, spread a lot of political propaganda and misinformation via social media and direct targeting.

You should be able to see the same political ads as your neighbor, but thanks to microtargeting that might not be the case. And if you get personalized ads, you should at least have the right to know why you are being shown specific information.

What is a data breach? Why is it dangerous?

A worst-case scenario is if your data gets into the wrong hands, otherwise known as a data breach. A data breach occurs if data is stolen, lost, destroyed or has been messed with by hackers. Even the biggest companies are not 100% safe - in 2021, for instance, the data of more than 500 Million Facebook users was extracted and leaked online.

But what can happen if my data is breached?

While some consequences are annoying, like losing access to your social media accounts, others are actively harmful and pose a genuine danger. Imagine, for example, if personal data from an online sex advice forum - where people anonymously sought advice about personal topics - was leaked, allowing its users to be identified offline. Such an outcome could be seriously detrimental to a person’s mental health, or even put them in physical danger if their lifestyle contravened social norms.

GDPR reduces this risk by enforcing data minimization and storage limitation. The less data stored, the less that can be leaked and the harder it is to identify people. Furthermore, data controllers must also report a breach within 72 hours at the latest and according to Article 25 of the GDPR "privacy by design", all systems should be built as securely as possible.

GDPR for dummies: how does it really work? Important facts and terms

Okay, we made it this far - but we still need to cut through some fancy wordings and lay out how GDPR really works and why it is important for you:

What is a data subject?

I’m one and so are you. A data subject is anyone who has their data collected by an organisation. Basically, everyone who has ever used the internet is a data subject.

What is a data controller?

A data controller is any entity that gathers and stores data - for example, a business.

What is a data processor?

This is who a large corporation hires to process data on their behalf.

What is a supervisory authority?

Each country in the EU has its own supervisory authority. Like a data privacy sheriff, they are supposed to enforce the GDPR in their region and, if need be, hand out hefty fines.

What is a data protection officer (DPO)?

This is the person who handles all the GDPR nitty-gritty of an organization/company.

What are data protection impact assessments (DPIAs)?

When a project is likely to involve high risk to personal data, controllers need to think it through - what are the potential risks and how to minimize them - and put it into writing.

What does privacy policy mean?

A privacy policy is a public document in which an organization explains how that organization processes personal data and how it applies data protection principles - so that you know what happens to your data when interacting with them.

What does consent mean in GDPR context?

Consent, according to the GDPR is, “any freely given, specific, informed and unambiguous indication” of your wish or agreement that a certain category of your data for certain purposes can be processed by those asking for your consent. .

What are user rights? What new rights do internet users have thanks to GDPR?

GDPR states 8 basic user rights for internet users in Europe. This means that you have a scope of rights, and the opportunity to step up if those are being violated.

The Right to Be Informed

Individuals have the right to be informed about who processes their data and for what purpose. This is important, because you need to know whom to contact if you think your data is being misused. The privacy policy has to be written in a way so that can be easily understood.

The Right to Access

If you want to know what personal data of yours a company is storing and how it is used, you can simply send a request to access a copy of it free of charge. For example, should you want to know what data your local supermarket has on file, you can expect data on when you used their loyalty card, what you bought, whether you were sent special offers, and whether and to whom your data was sold.

The Right to Rectification

If you notice that someone holds incorrect information about you, you have the right to get it corrected. Of course, third parties who have been given your data have to be informed as well.

The Right to Erasure

This right is more commonly known as the “right to be forgotten”. In principle, you can request that a company deletes data they have about you. Your request cannot be always respected - for example, banks may not be able to delete all your data immediately because they may need to keep it by law for a certain amount of time. But if you were featured on a local website as the regional winner of the local hotdog eating contest, and you are no public figure (thus the public has no interest in knowing how you spent your time), your request should be granted. However, it should also be mentioned that nowadays it is very hard to get data completely erased once it is out on the world wide web. Juicy clickbait tends to spread far and wide on the internet - and when your data is processed outside of the EU, enforcing your rights is next to impossible.

In 2019 the Court of Justice of the European Union ruled that the European Union can’t extend its laws beyond its borders. So while you can force Google to delete that embarrassing picture you posted on MySpace 12 years ago in European search results - if someone in a different continent googles your name, they may still have a laugh.

The Right to Restrict Processing

A situation might arise in which you may want a company to stop using your data. The first thing that comes to your mind is, I’ll request them to delete it. However, that may not be possible or not immediately. In such cases, you may still ask companies to not do anything with your data above and beyond what law requires them to do, e.g. to store data for a certain amount of time.

The Right to Data Portability

Let’s imagine you are using a music streaming platform but want to change to a different one. Still, you are hesitant because you want to keep your playlists. The right to data portability is meant to ensure that you are not stuck with your old provider simply because you have no time or energy to recreate those lists. Since you are the owner of your data under the GDPR, you can ask for your data from your old streaming platform in a format in which is transferable to the new service provider.

The Right to Object

If you give permission for a website to save and read cookie data, the company or organization can process your data according to their privacy policy. But what if later you change your mind, because you’re being targeted by political ads after researching a topic in the news? Theoretically at least, you have the right to object. The news site you visited can’t process or sell your data anymore. While there are some exceptions to this right, you can always oppose direct marketing. However, in practice you may need to find some alternative ways to ensure that you are not flooded with political ads, because in the current online environment you may not be able to know who processes your data. And yes, this is a violation of the GDPR.

Rights Related to Automated Decision-Making and Profiling

Automated Decision-Making (ADM) refers to decision-making by a machine based on data. Profiling means you are being put in a category (e.g. eligible for a loan or not) based on information from personal data. ADM promises to be more impartial than human decision-making, but as it is based on model learning and (sometimes incorrect) data fed by humans, true objectivity is still far out of reach.

Due to the possibility of biased decision-making, ADM and profiling poses a threat to our individual rights, freedoms and democracies. We should have the chance to know why a decision was being made, and have the option to challenge it if we wish.

The EU acknowledges this problem, and thus gives the right not to be subject to a decision based solely on automated means if the decision has legal implications or significant effects on a person’s life.

What are the penalties for violating GDPR?

Depending on how exactly someone is violating the GDPR, there are two different tiers of fines.

For less serious breaches companies may have to pay up to €10 million or 2% of the company's worldwide annual revenue, whichever amount is higher.

For more serious breaches, fines can then go up to €20 Million or 4% of the firm’s worldwide annual revenue.

What do we make of GDPR?

If you’ve gotten this far, you are officially no longer a dummy when it comes to GDPR. So what did we learn?

We learnt what we are (a data subject), that our behaviour online is being tracked (personal data is valuable), and that many people and companies are interested in having our data. We also learnt that a lack of privacy protection can harm democracies.

Of course, GDPR does not provide a watertight protection against all sorts of privacy breaches - especially since authorities have problems enforcing it. While GDPR is a positive legal instrument that enables us to protect ourselves, it is only useful as far as it is enforceable. Going forward, the EU should focus its attention on ensuring GDPR compliance.


Photocredits:
Naomi Tamar /Unsplash
Jurica Koletić/Unsplash
Omid Armin/Unsplash
Ludvig Wiese/Unsplash
Taylor Hernandez/Unsplash
Alexander Andrews/Unsplash
Derek Story/Unsplash

Civic Space Policy Paper 2022

Civic Space Needs Our Protection

Read more