What is GDPR and what does it mean for me?
This year sees the introduction of a new piece of legislation across Europe called GDPR. While this doesn’t sound very catchy or exciting, it’s actually a long overdue update on laws that will give you more control over how your personal data is used.
What does GDPR stand for?
GDPR stands for the General Data Protection Regulation and it will replace the EU Data Protection Directive that was introduced in 1995. As the former legislation was published twenty-three years ago, it’s understandable why this legislation needed updating.
To give you some context about how much the world has changed since then, at that time there was no Google, no Facebook, and most of us relied on ‘dial-up’ internet services. So it’s fair to say that any legislation written at that time may be a little out of date.
What does GDPR mean for me?
The new GDPR legislation comes into force in May this year, bringing with it more rights for you as a consumer. It means that you will have more power to challenge how organisations will ask for, store, use and otherwise process your personal data. So any information that can be used to directly or indirectly identify you as an individual (your name, date of birth, IP address etc.) may constitute personal data and will be expected to be under stricter controls and protection.
What this means in real-life is that when you get asked for any personal data, whoever is asking for it needs to make sure that they make it really clear:
- why they are asking for it,
- the types of personal data that they will process and who they will disclose it to,
- what they intend to use it for,
- where you consented to the collection of your information, allow you to withdraw your consent at any time, and
- give you the option to not provide this information.
Once you have provided your personal details you will also have more rights than before to ask organisations what information they hold on you and to make requests about what is done with that information. These rights include:
- The right to be informed
This means that you have the right to know why your information is being collected and used. This should be communicated to you in a clear way before you provide any personal data
- The right of access
You will have the right to access the personal data that an organisation holds on you as well as how that information is being processed.
- The right to rectification
You will also have the right to ask for incorrect or incomplete information that an organisation holds on you to be corrected (rectified).
- The right to erasure
This is also referred to as ‘the right to be forgotten’. This means that if there is no strong reason why an organisation would need to keep your details on file (such as to ensure that they communicate with you about a service that they provide or have a legal requirement to hold the data), you have the right to request that everything they hold on you is deleted or anonymised. Anonymisation masks personal identifiable information so that the data cannot be attributed to a living person.
- The right to restrict processing
As a consumer you can also request that a company does not process (or use) your data. For example, if you have contested the accuracy of the information that they hold on you– they can store that data but they cannot use it until they have ensured that what they are currently storing is correct, and you are happy for it to be used.
- The right to data portability
Sometimes it can help to share your personal data across different organisations – for example if you are shopping around for a better deal. This rule means that if it is possible, the organisation that currently holds your data will need to share it in a safe and secure way. Some financial organisations already do this through something called ‘midata’. A good example of this might be if you needed to provide information to a price comparison website.
- The right to object
You also have the right to say no. You may object to an organisation using your details to market their products or services to you for example. Before any organisation can do this, they must make it clear what they are going to use the data for, and give you the opportunity to object if you disagree.
Who do I complain to if I am unhappy with how my data is being used?
Your first point of call should always be to speak directly to the companywhich collected your personal data. They may be able to resolve your complaint to your satisfaction. If you aren’t happy with the outcome then you can raise your concerns through the ICO's website using the ‘report a concern’ link.
What happens if organisations don’t stick to these rules?
The organisation that will enforce these rules in the UK is the Information Commissioner’s Office (ICO). The ICO have set out the full details of the regulation on their website. But in a nutshell, if they investigate an organisation and decide that they are not sticking to the new rules, or have caused any kind of damage to the individual by not looking after their personal data properly, then they have the right to take actions and fine them.
Will GDPR still apply after Brexit?
While this is a new piece of legislation that has its roots in the EU, the UK will be introducing a new Data Protection Bill 2018 which will include most of the legislation covered in the GDPR legislation. So once we leave the EU, most organisations may align their policies to the Data Protection Bill 2018, but the GDPR rules will still be relevant when dealing with EU organisations.
Please note this article does not constitute legal advice.