The General Data Protection Regulation (GDPR) is a set of EU-wide data protection rules that have been brought into UK law as the Data Protection Act 2018.
Here, we explain some of the most important rights you have to control your data, how these data protection rights could affect you and how you can use them.
The Data Protection Act 2018 remains in place to protect your personal data. All the rules still apply, but once the transition period comes to an end the UK government will be free to change those rules.
When you buy goods and services, or sometimes even just visit a website, the organisations you deal with may collect and process information about you.
This might include your name, address, and telephone number. This type of data, which is capable of identifying a living individual, is called 'personal data'.
Organisations may even ask for data like your date of birth, the school you went to, the job you do, details about your partner or family or the sorts of things you view or buy online.
Like it or not, many organisations, including councils, hospitals, travel companies, banks and supermarkets hold data about you.
GDPR adds in a new range of personal identifiers, reflecting changes in technology and the way companies gather data today.
Online identifiers, such as your IP address, are now included within the definition of personal data.
A subject access request allows you to act on your right to obtain access to your personal data being processed by a company.
Previously you had to pay a small fee to make one, but under the Data Protection Act 2018, it now has to be free of charge in most circumstances.
You might make a subject access request if you think that a company is not processing your data lawfully or to check what information they have about you to ensure it’s accurate and up to date or to ask for job interview notes.
Companies have to provide you with the information without delay and at the latest within one month of receiving your request.
This is shorter than the previous 40-day timeframe. However, companies are allowed to extend the period by a further two months if the request is complex or if you have made numerous requests.
If this is the case, the company must inform you within a month from the date you made the request and explain why the extension is necessary.
A word of warning: if your request is unfounded or excessive, the controller of the data may charge a fee or refuse to act on the request. If you think the charge is unfair or your request is refused, you can complain to the ICO.
Under GDPR it is usually up to you to make a positive choice to agree to further direct marketing communications by email, such as ticking a box or agreeing over the phone.
The exception is where you have bought something, given the organisation your details, and did not opt out of marketing messages.
This also applies if you negotiated to buy something, for example by asking for a quote or for more clarity on what it offers, and did not opt out of marketing messages.
In these circumstances, the assumption is that you are probably happy to receive marketing about similar products or services even if you haven’t specifically consented, and the Privacy and Electronic Communications Regulations (PECR) allow organisations to contact you by email for marketing purposes.
Withdrawing your consent should be as easy as giving it. Companies should make it easy for you to do so, for example by providing an unsubscribe link at the bottom of their marketing emails.
At least one of the following lawful bases set out in Article 6 of GDPR must apply whenever an organisation processes your personal data:
The Information Commissioner’s Office (ICO) breaks this down into a three part test:
Companies should make it clear what they will do with your data, using plain language that’s easy to understand.
The purpose of collecting your personal data (for example, for marketing) must also be made clear to you at the point your data is collected.
GDPR gives you the right to have your personal data erased. The right to erasure is also known as ‘the right to be forgotten’.
You can make a request for erasure verbally or in writing and the company has one month to respond to a request.
Some reasons you might request a company to erasure your personal data are:
There are some exemptions where the company or organisation can refuse your request.
GDPR includes a right that allows you to request inaccurate or incomplete personal data is rectified or made complete.
You can make a request for rectification verbally or in writing and the company has one month to respond to your request.
A company can refuse to comply with your request for rectification if it thinks the request is unfounded or excessive.
If you have provided your personal data to a controller and it is being processed by automated means either on the basis of consent or for the performance of a contract, you’ll have the right to request that data in a machine-readable format and the right to have that transmitted to another data controller.
In theory, the right to personal data portability will allow you to move, copy or transfer personal data more easily from one IT environment to another in a safer and more secure way.
This may also enable you to take advantage of applications and services such as price comparison websites, which can use this data to find you a better deal.
You now have the right to object to activity from online retailers and companies, including profiling used for direct marketing purposes.
Companies must inform you of your right to object at the point of first communication or in their privacy notice.
In the case of an objection to processing for direct marketing purposes, they must stop processing your personal data for that purpose.
GDPR gives you the right in certain circumstances not to be subject to decisions which are based solely on automated processing, and which have a legal or other significant effect on you. Some decisions (such as online credit or e-recruiting) may also be subject to additional controls.
If you object, you can ask for a human to review the automated decision that has been made, but it doesn't necessarily mean the result will be any different.
If there is a serious breach of your data, you have to be told without undue delay. The GDPR introduced a duty on organisations to report certain types of serious personal data breaches to the Information Commissioner’s Office (ICO) within 72 hours of the organisation becoming aware of it, where feasible.
If there has been a breach, the company should explain to you, in clear and plain language, the nature of the personal data breach and, at least:
Where a company hasn’t informed affected individuals, the ICO has the power to compel them to do so if it considers there is a high risk to individuals’ rights and freedoms.
In the most severe cases where companies have breached the new rules, the ICO could issues fines up to €20m or 4% of annual global revenue – whichever is higher.
In April 2019 the ICO fined pregnancy and parenting advice service Bounty UK Ltd £400,000 for sharing the personal data of over 14 million individuals to a number of organisations including credit reference and marketing agencies without informing the individuals that they would do this.
You can in certain circumstances make a claim for compensation for both material and non-material damage including, but not limited to, distress and reputational damage, if your data has been misused or if there has been an infringement of the GDPR.
The GDPR broadened who you can make a claim against. You can claim against the data processor, as well as the data controller.
For example, previously you wouldn’t have been able to claim against a misuse of your personal data by a call centre acting as a processor. Instead you would have had to find out who the controller was that the data processor was handling the data for and make a claim against them. But now you can make a claim against either or both entities.
Compensation can be claimed for damage suffered as a result of a breach, including financial losses and also any distress caused. While you can take both a controller and a processor to court, you can only win once and so won’t be able to recover in full against both entities.