General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) strengthens your personal data rights, including the way companies handle your data and redress for misuse of that data.

What is GDPR and how will it affect me?

On 25 May 2018 a massive change in the way companies must handle data, and the rights that consumers have, comes into force.

This new regulation is called the General Data Protection Regulation (GDPR) and it will be applicable across the EU.

In the UK, those regulations will be incorporated into the Data Protection Act 2018 – the Bill is currently going through Parliament.

It builds on the current Data Protection Act 1998 (DPA) and will strengthen the legislation, giving you more rights and protections.

Here, we explain all the main changes that give you more control over your data, and how they are likely to affect you.

Collecting your personal data

When you buy goods and services, or sometimes even just visit a website, the organisations you deal with may collect information and data about you.

This might include your name, address, and date of birth. This type of data, which is capable of identifying a living individual, is called 'personal data'.

Organisations may even include things like the school you went to, the job you do, details about your partner or family or the sorts of things you view or buy online.

Like it or not, many organisations, including councils, hospitals, travel companies, banks and supermarkets hold data about you.

The GDPR update to the DPA adds in a new range of personal identifiers, reflecting changes in technology and the way companies gather data today.

Online identifiers, such as your IP address, will be included within the definition of personal data.

Soon, you will be seeing a lot fewer of those pesky pre-ticked boxes signing you up to stuff that you may not want unless you take the time to untick them.

Under GDPR rules it will be down to you to make a positive choice to agree to further direct marketing communications, such as ticking a box or agreeing over the phone.

All companies will also have to provide you with the option to opt out in all future communications.

If you want companies to stop using your data, make a request to an organisation to stop processing your data for the purposes of direct marketing.

It must be clear what you’re signing up to

Companies have to tell you specifically what you’re signing up for or opting in to – vague or blanket consent is no longer good enough.

When you’re presented with the option of ticking a box for further communications, it should be written in plain language that’s easy to understand.

The purpose of collecting your personal data and who it will be shared with must also be made clear to you at the point you make the choice.

Importantly, your positive opt-in shouldn’t later be misused to contact you for anything you didn’t sign up to.

You can ask for data in a format that will help you

One brand new right introduced by GDPR is the right to data portability. This means you can ask for your data from a company in a machine-readable format that enables you to reuse it, for instance in helping you get a better energy deal.

In theory, this will allow you to move, copy or transfer personal data more easily from one IT environment to another in a safer and more secure way.

You can opt out of profiling

You now have the right to opt out of activity from online retailers and companies, including profiling used for direct marketing purposes.

Companies must inform you of your right to object at the point of first communication and in their privacy notice, and must stop processing your personal data as soon as they receive an objection.

For many purposes, you would want companies to continue handling personal information to perform the tasks you need them to.

Appeal automated decisions made using your data

Companies often use algorithms to make decisions automatically about some issues, such as an online decision to award a loan or in a recruitment aptitude test.

This analysis reveals links between your different behaviours and characteristics to create a personalised profile of your preferences.

This information can then be used by those companies to make decisions that affect you. That might be to award you a loan (or to reject your application) or in screening an application for a job.

Once GDPR is adopted, you can object to solely automated decision making - when that decision has a significant effect on you - and some such decisions (such as online credit or e-recruiting) will be subject to additional controls.

You can then ask for a human to review that decision, but it doesn't necessarily mean the result will be any different. 

Serious data breaches

If there is a serious breach of your data, you have to be told right away. The GDPR introduces a duty on all organisations to report certain types of personal data breach to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of it, where feasible.

If there has been a breach, the company should explain to you, in clear and plain language, the nature of the personal data breach and, at least:

  • the name and contact details of its data protection officer or other contact point that can provide more information
  • a description of the likely consequences of the personal data breach
  • a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, the measures taken to mitigate any possible adverse effects.

The ICO has the power to compel companies to inform affected individuals if it considers there is a high risk, where the company hasn’t.

Take these steps to protect yourself and make a compensation claim if you become aware that an organisation has lost your data.

Huge fines for companies if they break the rules

In the most exceptionally severe cases where companies have breached the new rules, the ICO could fine them up to €20m or 4% of their annual global revenue – whichever is higher.

But GDPR is not about issuing big fines, and it's unlikely ICO will stray far from the size of fines it's already issuing.

At present, the highest fine that can be levied is £500,000. Carphone Warehouse was fined £400,000 in January for a data breach - previously, TalkTalk had the same penalty.

More routes to compensation

You also now have more opportunities to make a claim for a misuse of your data and get compensation for both material and non-material damage including, but not limited to, distress and reputational damage. 

The GDPR update also broadens who you can make a claim against, enabling you to claim against the data processor, as well as the data controller.

For example, previously you wouldn’t have been able to claim against a misuse of your personal data by a call centre acting as a processor. Instead you would have had to find out who the data processor was handling the data for and make a claim against the controller. But now you can make a claim against both. 

Compensation can be claimed for the breach, financial losses and also any distress caused. While you can take both to court, you can only win once.

Subject access requests

You have always been able to make a subject access request, which allows you to act on your right to obtain access to your personal data held by a company. But now it will be free. 

You might make a subject access request if you think that a company is not processing your data lawfully.

Companies have to provide you with the information without delay and at the latest within one month of receiving your request.

This is shorter than the previous 40-day timeframe. However, companies are allowed to extend the period by a further two months if the request is complex or numerous.

If this is the case, the company must inform you within a month from the date you made the request and explain why the extension is necessary. 

A word of warning, if your request is unfounded or excessive, the controller of the data may still charge a fee or refuse to act on the request.

Read our Data Protection Act guide for more on the existing regulations.

Collective rights to redress

Under the new rules, you'll have the right to mandate not-for-profit bodies, organisations or associations that meet certain criteria to complain on your behalf, and to exercise the right to receive compensation on your behalf.

But we want this to go one step further. 

We are calling for collective data redress in the final Act, which would introduce the ability for independent bodies to take cases on behalf of all affected consumers collectively. 

This would make it much easier for you to get compensation. 

Please tell us what you think of the Which? Consumer Rights website.

Your feedback is vital in helping us improve this site. All data will be treated confidentially. This survey will take approximately 5 minutes to complete.

Please take our survey so we can improve our website for you and others like you.