The introduction of the GDPR, giving individuals unprecedented insight into, and control of, how their data is being used coincides with a surge in technologies that consumers willingly empower with personal information, points out Joanna Boag-Thomson, a Partner at law firm Shepherd and Wedderburn.
“With GDPR approaching, on the one hand you have rising concern among people about what data is being held by companies and organisations, and how it is being processed,” she said, “and on the other hand you have sales of devices like Amazon’s Echo skyrocketing. It suggests some anomalies in consumer behaviour, but certainly GDPR is very well-timed to coincide with this technology.”
Awareness among individuals of their rights around data is rising, according to the Information Commissioner’s Office (ICO), and it attributes this in part to publicity around GDPR. Between October and December last year, there were 815 reported data security incidents – a 19% increase on the previous quarter, and a 41% increase on the same period in 2016.
“We believe this increase was possibly due to increased awareness of the GDPR,” said an ICO spokesperson, “and the launch of our new personal data breach helpline.” Business, education, and local government were the sectors with the most reported incidents.
Boag-Thomson anticipates that the requirement on companies and organisations to revamp their privacy notices will similarly result in increased awareness among the public about how their data is being used.
The notices will include details of the organisation as data controller and the name of its data protection officer, who the data is being shared with, how long it will be kept for, if any automated decision-making, for example profiling, is being used, whether data is being processed outside the European Union, and if so what protections are in place to safeguard the data.
“From May 25, you’ll be able to look and say: ‘Oh, that’s what they are using my data for’,” said Boag-Thomson. “So, people will get transparency and be empowered by specific rights, such as ‘the right to be forgotten, the right to stop processing, and the right to data portability’.”