1. Control your data

More information: Too often we do not control how our personal information will be used. It is not surprising that the majority of people do not trust those that collect and use their personal data.

A Eurobarometer survey found that 70% of Europeans are concerned about companies using information for a purpose different to the one it was collected for. A study by TRUSTe in the UK found that 94% of people worry about their online privacy, and that consumers engage less with companies they do not trust – leading to lower purchases (29%), app downloads (68%) and sharing of information (86%) link.

The Regulation would give you a number of rights to help you decide how your data is collected and used. For example, there are provisions to make sure you can find out how your information is being used (see Articles 14 and 15). Article 16 would give you a right to have inaccurate personal data relating to you rectified. The “right to erasure” (see Article 17) would allow you to have personal information deleted if you don't want it stored or used anymore. The “data portability” section (see Article 18) would allow you to get data back from a social network or other organisation – helping you switch to other services, for example. Article 19 offers rights to object to processing of personal information and Article 20 would allow you to find out about, and not be subjected to, profiling.

2. All your data

More information: There are ways to try to 'anonymise' data sets, so that it seems the subjects of a study or dataset are not identifiable. The term 'pseudonymisation' is a way of describing a broad range of techniques for trying to make data identifiable only when combined with other data.

But even if a company 'pseudonymises' information about a specific person (meaning “Mr. Smith's” name is separated from other information about him and this information is then saved in a separate database as record number “ABC123”) the information can still be used to make decisions targeted at Mr. Smith.

Furthermore, data that is supposedly 'anonymous' or 'anonymised' can, in fact, be re-identified link. For example, researchers were able to identify people who participated in a large genomic study based on some of the participants’ genomes and other publicly accessible information link. As technology and techniques develop, re-identification from supposedly anonymised or pseudonymized datasets will become easier.

A number of amendments to the Regulation would exclude 'pseudonymous' and 'anonymous' data from the law. We think the same standards should apply to all data that can be used to single people out.

3. Agree to what happens to your data

More information: Consent is one of the six legal bases of processing. It is frequently abused, especially online, where collection is often based on vague or confusing language. Sometimes businesses say it is enough that someone's behaviour – for example signing up to a website – implies that they consent to the use of their data.

To address this, the new Regulation would mean that consent must be 'informed, specific and explicit'. That would mean somebody has to make an active choice, ensuring people really know what data processing they are agreeing to.

People want more control over how their data is used. For example, participants in a 2010 study by the UK think-tank Demos (“A People's Inquiry into Personal Information”, made a number of demands for more control, for example through greater transparency and more meaningful consent link. Some amendments would weaken what consent means, for instance by removing the word “explicit".

4. Make it enforceable

An effective data protection regime requires tougher and clearer sanctions. Article 79 proposes stronger sanctions, potentially including fines of up to 2% of a company's annual turnover for the worst breaches.

Currently the sanctions available to Data Protection Authorities are not strong enough. For example, the German data protection regulator recently fined Google €145,000 for the “systematic, illegal collection of personal data while it was creating the Street View mapping service”. This was near to the maximum possible fine. link

Google's net profit for the final three months of 2012 were £1.83bn [link http://www.bbc.co.uk/news/business-21153580 ]. Yahoo! profits for the same quarter stood at $370m link. The processing of personal information is fundamental to such companies' business models. It is the source of much of their revenue. Fines at the current level are simply not high enough to be a deterrence against non compliance with Data Protection law. Without sanctions that reflect these realities, compliance will likely not be a boardroom issue.