The General Data Protection Regulation (GDPR) strengthens your personal data rights, including the way companies handle your data and redress for misuse of that data.

 

What is GDPR and how will it affect me?

On 25 May 2018 a massive change in the way companies must handle data, and the rights that consumers have, comes into force.

This new regulation is called the General Data Protection Regulation (GDPR) and it will be applicable across the EU.

In the UK, those regulations will be incorporated into the Data Protection Act 2018 – the Bill is currently going through Parliament.

It builds on the current Data Protection Act 1998 (DPA) and will strengthen the legislation, giving you more rights and protections.

Here, we explain all the main changes that give you more control over your data, and how they are likely to affect you.

Collecting your personal data

When you buy goods and services, or sometimes even just visit a website, the organisations you deal with may collect information and data about you.

This might include your name, address, and date of birth. This type of data, which is capable of identifying a living individual, is called ‘personal data’.

Organisations may even include things like the school you went to, the job you do, details about your partner or family or the sorts of things you view or buy online.

Like it or not, many organisations, including councils, hospitals, travel companies, banks and supermarkets hold data about you.

The GDPR update to the DPA adds in a new range of personal identifiers, reflecting changes in technology and the way companies gather data today.

Online identifiers, such as your IP address, will be included within the definition of personal data.

Your consent will need to be positive

Soon, you will be seeing a lot fewer of those pesky pre-ticked boxes signing you up to stuff that you may not want unless you take the time to untick them.

Under GDPR rules it will be down to you to make a positive choice to agree to further direct marketing communications, such as ticking a box or agreeing over the phone.

All companies will also have to provide you with the option to opt out in all future communications.

It must be clear what you’re signing up to

Companies have to tell you specifically what you’re signing up for or opting in to – vague or blanket consent is no longer good enough.

When you’re presented with the option of ticking a box for further communications, it should be written in plain language that’s easy to understand.

The purpose of collecting your personal data and who it will be shared with must also be made clear to you at the point you make the choice.

Importantly, your positive opt-in shouldn’t later be misused to contact you for anything you didn’t sign up to.

You can ask for data in a format that will help you

One brand new right introduced by GDPR is the right to data portability. This means you can ask for your data from a company in a machine-readable format that enables you to reuse it, for instance in helping you get a better energy deal.

 

In theory, this will allow you to move, copy or transfer personal data more easily from one IT environment to another in a safer and more secure way.

 

You can opt out of profiling

You now have the right to opt out of activity from online retailers and companies, including profiling used for direct marketing purposes.

Companies must inform you of your right to object at the point of first communication and in their privacy notice, and must stop processing your personal data as soon as they receive an objection.

For many purposes, you would want companies to continue handling personal information to perform the tasks you need them to.

Appeal automated decisions made using your data

Companies often use algorithms to make decisions automatically about some issues, such as an online decision to award a loan or in a recruitment aptitude test.

This analysis reveals links between your different behaviours and characteristics to create a personalised profile of your preferences.

This information can then be used by those companies to make decisions that affect you. That might be to award you a loan (or to reject your application) or in screening an application for a job.

Once GDPR is adopted, you can object to solely automated decision making – when that decision has a significant effect on you – and some such decisions (such as online credit or e-recruiting) will be subject to additional controls.

You can then ask for a human to review that decision, but it doesn’t necessarily mean the result will be any different.

Serious data breaches

If there is a serious breach of your data, you have to be told right away. The GDPR introduces a duty on all organisations to report certain types of personal data breach to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of it, where feasible.

If there has been a breach, the company should explain to you, in clear and plain language, the nature of the personal data breach and, at least:

the name and contact details of its data protection officer or other contact point that can provide more information

a description of the likely consequences of the personal data breach

a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, the measures taken to mitigate any possible adverse effects.

The ICO has the power to compel companies to inform affected individuals if it considers there is a high risk, where the company hasn’t