A wise man once said, “Hold faithfulness and sincerity as first principles.” The European Union General Data Protection Regulation (GDPR) places emphasis on the data subject—the living, breathing human being whose personal information should be protected at all costs. According to the Identity Theft Resource Center, there have been almost 200 breaches in the U.S. alone in the first three months of 2018, with an exposure of over 3.6 million records.1 Many companies that have been breached respond by providing free credit- monitoring services to the victims. However, these services are costly for the company and many consumers choose not to take advantage of the service. GDPR threatens substantial fines if companies are found to be non-compliant, forcing them to be more accountable.
GDPR gives individuals much more power to access and control the information that is held about them:
- Organizations processing personal information must clearly explain that consent is being given and there has to be a “positive opt-in” from the individual. Controllers are also encouraged to develop interoperability among each other to make the subject’s data portable and easy to move across the EU.
- Everyone has the right to get confirmation that an organization has information about them and to receive access to this information and any other supplementary information. Organizations must deliver the requested information within one month.
- GDPR also includes a person’s rights regarding automated processing of data: individuals have the right not to be subject to a decision if it is automatic and if it produces a significant effect on a person.
- The new regulation also gives individuals the power to get their personal data erased in some circumstances: if it is no longer necessary for the purpose it was collected, if consent is withdrawn, if there’s no legitimate interest and/or if it was unlawfully processed. Subjects must be able to withdraw consent with the same ease that he/she gave it.
For more information on the rights of data subjects, view our paper, How Forescout Technologies Is Preparing for GDPR.