The responsibility rests with companies to obtain clear consent from you, and you must opt in to receive information from them, the law states that “pre-ticked boxes are not considered to be valid consent under GDPR”. The law also recognises that consent is not always possible, for example an employee cannot consent to be supervised by CCTV for a productivity issue – since there is a power imbalance between the employer and the employee. The penalties for companies are steep, up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher. No wonder companies are working hard to set up good privacy systems.
As an individual, a consumer and an employee I like the principles of the law. I’m glad to see a comprehensive overall of how our data is used, and that the EU is using its power to counteract the power behind US tech giants who haven’t taken as much care of my data as I’d like. But oh boy it’s exhausting to read everyone’s terms and conditions and sort out what I’m going to agree to. And not all companies present it in the easiest way. Here’s the notification on data sharing from FastCompany