What is GDPR and how does it affect you?
The General Data Protection Regulation (GDPR) is a set of EU-wide data protection rules that have been brought into UK law as the Data Protection Act 2018.
Here, we explain some of the most important rights you have to control your data, how these data protection rights could affect you and how you can use them.
Will my data rights change when the UK leaves the EU?
If the UK leaves the EU with no deal, you won't see an immediate change in the UK’s own data-protection standards. This is because the Data Protection Act 2018 would remain in place and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it.
In a no-deal scenario, the Information Commissioner’s Office (ICO) will no longer be part of the arrangement set up by the GDPR that allows EU data regulators to coordinate on complaints from EU member state citizens.
This means the ICO will not be able to co-operate with equivalent data protection authorities in the EU about complaints from UK citizens. In addition, if a company is only based in an EU member state, the ICO may not be able to consider a complaint about that company.
Read our Brexit guide for more information on how the UK leaving the EU could impact protection of your personal data.
You can also sign up for Brexit advice updates - Which? cuts through the noise to find the facts. Our practical and impartial consumer advice, rigorously researched and regularly delivered by email, can help you prepare for the UK leaving the EU.
Collecting your personal data
When you buy goods and services, or sometimes even just visit a website, the organisations you deal with may collect and process information about you.
This might include your name, address, and telephone number. This type of data, which is capable of identifying a living individual, is called 'personal data'.
Organisations may even ask for data like your date of birth, the school you went to, the job you do, details about your partner or family or the sorts of things you view or buy online.
Like it or not, many organisations, including councils, hospitals, travel companies, banks and supermarkets hold data about you.
GDPR adds in a new range of personal identifiers, reflecting changes in technology and the way companies gather data today.
Online identifiers, such as your IP address, are now included within the definition of personal data.
Read our guide on what counts as personal data if you'd like to know more.
Find your data - subject access requests
The right to make a subject access request existed under the former Data Protection Act 1998.
A subject access request allows you to act on your right to obtain access to your personal data being processed by a company.
Previously you had to pay a small fee to make one, but under the Data Protection Act 2018, it now has to be free of charge in most circumstances.
You might make a subject access request if you think that a company is not processing your data lawfully or to check what information they have about you to ensure it’s accurate and up to date or to ask for job interview notes.
Companies have to provide you with the information without delay and at the latest within one month of receiving your request.
This is shorter than the previous 40-day timeframe. However, companies are allowed to extend the period by a further two months if the request is complex or if you have made numerous requests.
If this is the case, the company must inform you within a month from the date you made the request and explain why the extension is necessary.
A word of warning: if your request is unfounded or excessive, the controller of the data may charge a fee or refuse to act on the request. If you think the charge is unfair or your request is refused, you can complain to the ICO.
When your consent is needed for marketing
Under GDPR it is usually up to you to make a positive choice to agree to further direct marketing communications by email, such as ticking a box or agreeing over the phone.
Are there any exceptions?
The exception is where you have bought something, given the organisation your details, and did not opt out of marketing messages.
This also applies if you negotiated to buy something, for example by asking for a quote or for more clarity on what it offers, and did not opt out of marketing messages.
In these circumstances, the assumption is that you are probably happy to receive marketing about similar products or services even if you haven’t specifically consented, and the Privacy and Electronic Communications Regulations (PECR) allow organisations to contact you by email for marketing purposes.
Withdrawing your consent should be as easy as giving it. Companies should make it easy for you to do so, for example by providing an unsubscribe link at the bottom of their marketing emails.
If you want companies to stop using your data, make a request to stop processing your data for the purposes of direct marketing.
Data protection: jargon buster
- Processing is essentially anything that is done to or with personal data. This includes but is not limited to collecting, recording, organising, structuring, storing, adapting, altering, erasing or destroying.
- A data subject is an identified or identifiable person.
- A controller determines the purposes and means of the processing of personal data.
- A processor processes data on behalf of a controller.
Six legitimate reason to process your data
At least one of the following lawful bases set out in Article 6 of GDPR must apply whenever an organisation processes your personal data:
- Consent: you have given the organisation consent to process your personal data for one or more specific purposes.
- Contract: the processing is necessary for the performance of a contract to which you are a party, or to take steps at your request before entering into a contract.
- Legal obligation: the processing is necessary to comply with a legal obligation which the organisation is subject to.
- Vital interests: the processing is necessary to protect someone’s vital interests or those of another person.
- Public task: the processing is necessary to perform a task in the public interest or an official function with a clear basis in law.
- Legitimate interests: the processing is necessary for the purposes of pursuing the organisation’s legitimate interests or those of a third party, except where those interests are overridden by the interests or rights of the data subject which require protection.
The Information Commissioner’s Office (ICO) breaks this down into a three part test:
- Purpose test: are you pursuing a legitimate interest?
- Necessity test: is the processing necessary for that purpose?
- Balancing test: do the individual’s interests override the legitimate interest?
Companies must make it clear to you how your data will be used
Companies should make it clear what they will do with your data, using plain language that’s easy to understand.
The purpose of collecting your personal data (for example, for marketing) must also be made clear to you at the point your data is collected.
You can ask for your data to be erased
GDPR gives you the right to have your personal data erased. The right to erasure is also known as ‘the right to be forgotten’.
You can make a request for erasure verbally or in writing and the company has one month to respond to a request.
Some reasons you might request a company to erasure your personal data are:
- you no longer need the service (so they should no longer need to hold your data)
- you're objecting to the company using your data for direct marketing
- the company is processing your data without your consent
There are some exemptions where the company or organisation can refuse your request.
- the right of freedom of expression and information
- to comply with a legal obligation
- for the performance of a task carried out in the public interest or in the exercise of official authority
- for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing
- for the establishment, exercise or defence of legal claims
You can ask for inaccurate information to be corrected
GDPR includes a right that allows you to request inaccurate or incomplete personal data is rectified or made complete.
You can make a request for rectification verbally or in writing and the company has one month to respond to your request.
A company can refuse to comply with your request for rectification if it thinks the request is unfounded or excessive.
You can ask for data in a format that will help you
If you have provided your personal data to a controller and it is being processed by automated means either on the basis of consent or for the performance of a contract, you’ll have the right to request that data in a machine-readable format and the right to have that transmitted to another data controller.
In theory, the right to personal data portability will allow you to move, copy or transfer personal data more easily from one IT environment to another in a safer and more secure way.
This may also enable you to take advantage of applications and services such as price comparison websites, which can use this data to find you a better deal.
You can object to profiling and the use of your data for direct marketing
You now have the right to object to activity from online retailers and companies, including profiling used for direct marketing purposes.
Companies must inform you of your right to object at the point of first communication or in their privacy notice.
In the case of an objection to processing for direct marketing purposes, they must stop processing your personal data for that purpose.
Appeal automated decisions
GDPR gives you the right in certain circumstances not to be subject to decisions which are based solely on automated processing, and which have a legal or other significant effect on you. Some decisions (such as online credit or e-recruiting) may also be subject to additional controls.
If you object, you can ask for a human to review the automated decision that has been made, but it doesn't necessarily mean the result will be any different.
Read our guide for more information on how automated decision making and profiling work, including what you can do to stop it.
Serious data breaches
If there is a serious breach of your data, you have to be told without undue delay. The GDPR introduced a duty on organisations to report certain types of serious personal data breaches to the Information Commissioner’s Office (ICO) within 72 hours of the organisation becoming aware of it, where feasible.
If there has been a breach, the company should explain to you, in clear and plain language, the nature of the personal data breach and, at least:
- the name and contact details of its data protection officer or other contact point that can provide more information
- a description of the likely consequences of the personal data breach
- a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, the measures taken to mitigate any possible adverse effects.
Where a company hasn’t informed affected individuals, the ICO has the power to compel them to do so if it considers there is a high risk to individuals’ rights and freedoms.
If you become aware that an organisation has lost your personal data, read our guide for steps you can take to protect yourself and, in some cases, claim compensation following a data breach.
Huge fines for companies if they break the rules
In the most severe cases where companies have breached the new rules, the ICO could issues fines up to €20m or 4% of annual global revenue – whichever is higher.
In April 2019 the ICO fined pregnancy and parenting advice service Bounty UK Ltd £400,000 for sharing the personal data of over 14 million individuals to a number of organisations including credit reference and marketing agencies without informing the individuals that they would do this.
Multiple routes to claim compensation
You can in certain circumstances make a claim for compensation for both material and non-material damage including, but not limited to, distress and reputational damage, if your data has been misused or if there has been an infringement of the GDPR.
The GDPR broadened who you can make a claim against. You can claim against the data processor, as well as the data controller.
For example, previously you wouldn’t have been able to claim against a misuse of your personal data by a call centre acting as a processor. Instead you would have had to find out who the controller was that the data processor was handling the data for and make a claim against them. But now you can make a claim against either or both entities.
Compensation can be claimed for damage suffered as a result of a breach, including financial losses and also any distress caused. While you can take both a controller and a processor to court, you can only win once and so won’t be able to recover in full against both entities.