Our personal data has become a trading good, collected and used by companies and governments. This raises concerns about our fundamental right to privacy and who we should trust to control these data. Personal data are intended to be used for product design and aligning customer needs.

This is the reason why consent over how personal information is managed is important. Digital interconnectivity and tech progress are important, and so are our civil liberties. Obtaining a balance between commercial gains, data safety and privacy rights is a constant challenge.

Since 2018, EU-based legal entities that collect and store private data must be GDPR compliant. Personal data collection plays a strategic role and offers insights into business customers’ behaviour. However, if they don’t comply with GDPR provisions, data collection will ruin their reputation and expose them to financial risks.

The latest GDPR changes are an attempt to simplify its implementation and save costs for small EU businesses.  EC introduces a new “small-mid cap” category for companies with fewer than 750 employees and up to €150 million in turnover or €129 million in assets, which will benefit from eased compliance rules.

Personal data is private information we can identify with like our names, email addresses, phone numbers, locations, and credit card data. In the EU, the privacy rights protected by GDPR mainly refer to the protection, access, and correction of personal data.

GDPR’s provisions allow us to see who has accessed our private data and what they have done with these data, its role is to prevent the misuse of personal data. The verification of compliance with their provisions as the rising number of fines proves it.

GDPR individual rights protection and EU AI Act

Employers are using AI not only for recruitment purposes and people operations but also in the decision-making process. The possibility of misuse of personal data is raising concerns about transparency, given consent and the potential for bias in automated decisions.

Advancing AI technologies is changing the data protection requirements and privacy protection rules. The recently adopted EU AI Act aims to address risks to safety and fundamental rights and also comply with GDPR provisions.

Organizations implementing AI systems face growing concerns about data privacy and individual rights as automated decision-making processes become more prevalent in business operations. GDPR provisions on automated decisions state that we have the right not to be subject to solely automated decisions involving the processing of personal data that result in legal or significant effects.

Accordingly, we retain control over decisions affecting us by protecting individual rights against potentially harmful automated decisions. Automated decision-making applies to recruitment, credit scoring, monitoring employee performance, admissions and grading in educational systems, patient safety and care, etc.

According to European authorities, the EU AI Act compels the AI system providers to disclose certain information and act transparently, enabling a better understanding of the LLMs – large language models they use. Moreover, AI providers are required to have policies that address copyright laws and racial and gender bias. 

Exposure to risks because of lack of transparency

Data usage has significant legal and reputational implications for businesses, regardless of scale. Both big and small companies may face public suspicion and legal penalties if they do not disclose how they collect, store, and use data.

According to GDPR, users should be informed and have consent choices for their collected private data. Even small websites that use third-party companies or analytics need cookies and collecting data terms. Browsing data can be converted into marketing tools to predict future choices of customers.

Cookies can collect data like IP addresses, login data, geo-locations, time on web pages, and bookmarks. All these browsing data are potentially private information depending on the business’s operations and the type of cookies accepted.

These regulations affect the business relationships with countries outside the EU if they want to collect data from EU citizens. Most companies processing personal data inside the EU or doing business with companies outside the EU have responsibilities under GDPR. Any type of organization located or with legal branches in the EU must comply with GDPR.

Also, companies outside the EU that offer services involving processing the personal data of EU citizens have the same obligations. If these organizations are providers based outside the EU and target EU customers, they are subject to the GDPR.

Hiring requirements and personal data

Information such as ethnic origin, biometric data, state of health, or disabilities is sensitive data that raises real privacy concerns. Recruitment agencies and employers handle the selection and hiring process online and ask for the candidates’ consent for these data.

Consent and contractual obligations are two of the most important motives for allowing personal data processing. The employee’s consent, granted to employers requires processing data for a clear and specific purpose.

Additionally, consent must be voluntary, specific, informed and allowed with a clear affirmative response. Data processing requires organizations to make it easy for people to withdraw their consent to protect their privacy. For instance, the purpose of data processing can change at any moment.

Most companies use Application Tracking Systems (ATS) to solve privacy issues which are now a constant and repetitive task for HR. People provide employers with a CV, social media profiles, and possible copies of professional qualifications. So, employers can collect and process the data under GDPR provisions and ask candidates for clear and specific consent.

Personal data and balance between interests and privacy rights

The contractual obligations are another reason for personal data processing. Whenever we sign a contract, personal data are involved. That is why we are to respect GDPR and the legal requirements involved. So, for example, if you signed an employment contract, that employer company will need to process your data to comply with its legal responsibility as part of the employment contract obligations.

Lawmakers are trying to balance businesses’ legitimate interests in data analytics with people’s privacy rights. The imbalance comes from what organisations want to offer and our willingness to grant them access to our private data such as location, phone number, email, and other personal data.

Lawful reasons to process personal data

According to GDPR, legitimate interests should be the main reason for asking people for their consent. However, this so-called legitimate interest comes and goes, and the request for consent is a repetitive activity for companies that process personal data. Each EU country has a supervisory authority to process and implement compliance with the GDPR provisions, as requested.

However, we are moving back and forth between our privacy and the necessity of data processing from a security or business operations point of view. In this context, the GDPR’s basic principles, like purpose specification, data minimization, and transparency requirements for systematically collecting data become basic provisions generating balance.

Why should we be interested in companies complying with GDPR?

1. Trust. By applying and enforcing private data regulations companies might gain the trust of their customers and employees and be perceived as trustworthy guardians of the private data.
2. Protection. Whether customers or employees, we entrust them with sensitive data with the risk of being misused. Regulations provide a framework to handle abuse and possible misbehaviour.
3. Control. We gain some control over the personal data provided to the different legal entities through your right to request deletion or correction of our data. For instance, during a recruitment process, you can withdraw the consent, if you are not interested anymore or change your mind.

Depending on the organization’s complexity personal data regulations are not easy to apply. There are still debates about how and when it should be implemented. However, the protection of personal data will always matter because sharing it comes with benefits, but also with risks. If we value our privacy, we’ll always need to be aware of the data protection regulations that apply to us.