The General Data Protection Regulations (GDPR) is a set of new EU regulations regarding the collection and processing of personal data on EU citizens.
The UK is committed to enforcing these regulations despite Brexit, but they apply to any entity, regardless of where they are located, unless they specifically block visitors from the EU and other GDPR countries, and it becomes law on 25th May 2018.
GDPR considers personal data to be anything that can be used to identify an individual, whether directly or indirectly. Aggregated data may still be identifying if it isn’t sufficiently pseudonymised (Bowles, 2018).
The regulations seek to stop the indiscriminate collection of data, and state that data can only be collected and processed for “specific, explicit and legitimate purposes” (ICO, 2017), and not vague reasons such as “Marketing Purposes” or “Future Research” (Bowles, 2018).
There are several legitimate bases for processing data, including Consent and Legitimate Interests. Consent must be positive – not based on pre-ticked or opt-out boxes – and should be refreshed to comply with the regulations if already gained (ICO, 2018a).
Legitimate Interests is the most flexible basis for processing data and applies where people’s data is “used in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing” (ICO, 2018b). A Legitimate Interests Assessment should be carried out in order to demonstrate that this basis can legally be applied (ICO, 2018c).
The GDPR provides the following rights for individuals (ICO, 2018d):
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
External services integrated with a main service (such as analytics or database providers) should also be GDPR-compliant.
Children
Only children over the age of 13 are able to give their own consent for data collection and processing, and for children younger than this consent must be given by whoever holds parental responsibility for the child (ICO, 2018e). Services are expected to be proactive about ascertaining whether the user can give consent so it would seem that legitimate interests would be a better basis for data processing by CianTube. In this case the interests of the data processor or controller must be balanced against the child’s interests and their fundamental rights and freedoms.
Children should also be provided with privacy notices so they are able to understand what will happen with their data.
References
Bowles, C. (2018) A techie’s rough guide to GDPR. [Available from https://www.cennydd.com/writing/a-techies-rough-guide-to-gdpr]
ICO (2017) Principles [Available from https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/principles/]
ICO (2018) Consent [Available from https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/]
ICO (2018) Legitimate interests [Available from https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/]
ICO (2018) How do we apply legitimate interests in practice? [Available from https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/how-do-we-apply-legitimate-interests-in-practice/]
ICO (2018) Individual rights [Available from https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/]
ICO (2018) Children [Available from https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/applications/children/]