From May 2018, a new data protection law – the General Data Protection Regulation (GDPR) – will come into force, designed to better protect the privacy of European citizens. GDPR gives consumers a number of rights over the personal data that companies collect, and forces those businesses to better protect the information too.

If a company does breach the GDPR, penalties can be quite severe. For the most serious incidents, fines could reach €20m, or 4% of their global revenue. For a company the size of Google or Apple, that may be billions of Euros.

Here’s what GDPR will mean for young people.

A right to be forgotten

Modern companies collect a lot of personal data that is used to help them design new products and services, and to create marketing messages tailored to your preferences. Under existing laws, this data can be held almost indefinitely so long as it is used properly.

The new law gives back control of personal data to the individual. Under GDPR you will have the right to contact any company and ask them to delete any of your personal data that they hold. The company then has 30 days to remove all trace of you from their systems.

Say you decide to leave Facebook. Currently you can “delete” your account, but all the posts and photographs you’ve ever uploaded are kept (and used) by Facebook – it’s just not publicly available. Once GDPR comes into force, you can ask Facebook to delete this “invisible” data too, leaving no trace you were ever a member.

Marketing opt-out

Typically, websites do offer an opt-out for marketing telephone calls and emails when you register. Hidden away at the bottom of the sign-up form will be some checkboxes that need to be ticked or unticked to indicate you don’t want to receive advertising.

Sometimes simply accepting the Terms of Service (the long, legally complex page that most people don’t read) is accepted as confirmation that you do want to receive sales calls. Your consent is implied by the company.

GDPR demands that consumers give explicit consent to having their personal data used for marketing. If you don’t click the relevant permissions box, the company cannot contact you for sales purposes.

Deleting childhood social media posts

Although GDPR is being implemented by every EU member, each state is permitted to make additions to the regulation. In the UK, young people will gain an additional right. From May next year they will be permitted to ask social networks like Facebook, Twitter and Instagram to delete any updates posted before their 18th birthday.

Because many young people share inappropriate content without fully thinking through the implications, they may be making it harder to find a job. This is certainly the case where employers routinely check the social media history of applicants.

With the right to request these embarrassing/rude/stupid be removed, young adults may be spared their blushes – at least when it comes to what they do outside the office in the evenings.

Obviously teenagers and young adults should still be trained to use social media properly, but GDPR offers one final chance to remove their most embarrassing and immature thoughts from the public arena.