What is GDPR and how does it affect you?
The General Data Protection Regulation (GDPR) is a set of EU-wide data protection rules that have been brought into UK law as the Data Protection Act 2018.
Here, we explain some of the most important rights you have to control your data, how these data protection rights could affect you and how you can use them.
Will my data rights change when the UK leaves the EU?
If the UK leaves the EU with no deal, you won't see an immediate change in the UK’s own data-protection standards. This is because the Data Protection Act 2018 would remain in place and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it.
In a no-deal scenario, the Information Commissioner’s Office (ICO) will no longer be part of the arrangement set up by the GDPR that allows EU data regulators to coordinate on complaints from EU member state citizens.
This means the ICO will not be able to co-operate with equivalent data protection authorities in the EU about complaints from UK citizens. In addition, if a company is only based in an EU member state, the ICO may not be able to consider a complaint about that company.
Read our Brexit guide for more information on how the UK leaving the EU could impact protection of your personal data.
You can also sign up for Brexit advice updates - Which? cuts through the noise to find the facts. Our practical and impartial consumer advice, rigorously researched and regularly delivered by email, can help you prepare for the UK leaving the EU.
Collecting your personal data
When you buy goods and services, or sometimes even just visit a website, the organisations you deal with may collect information and data about you.
This might include your name, address, and date of birth. This type of data, which is capable of identifying a living individual, is called 'personal data'.
Organisations may even include things like the school you went to, the job you do, details about your partner or family or the sorts of things you view or buy online.
Like it or not, many organisations, including councils, hospitals, travel companies, banks and supermarkets hold data about you.
The GDPR adds in a new range of personal identifiers, reflecting changes in technology and the way companies gather data today.
Online identifiers, such as your IP address, are now included within the definition of personal data.
Read our guide on what counts as personal data if you'd like to know more.
Your consent will need to be positive
The regulation means pre-ticked consent boxes should be a thing of the past.
Under GDPR rules it is up to you to make a positive choice to agree to further direct marketing communications by email, such as ticking a box or agreeing over the phone.
Withdrawing your consent should be as easy as giving it. Companies should make it easy for you to do so, for example by providing an unsubscribe link at the bottom of their marketing emails.
In some cases it organisations can continue to contact you - the Privacy in Electronic Communications Regulations (PECR) allows organisations to contact you by email for marketing purposes as long as the email is sent by the same legal entity and about the same or similar products or services.
Or, if you have positively consented to be contacted for marketing, that marketing activity can continue.
If you want companies to stop using your data, make a request to an organisation to stop processing your data for the purposes of direct marketing.
Data protection: jargon buster
- Processing is the act of obtaining, recording, holding or using personal data.
- Data subject is an individual who is the subject of personal data.
- Data controller is a person or organisation that decides how personal data is processed. In many cases they will need the consent of the data subject to do this.
- Data processor is any person or organisation that processes data on behalf of the data controller.
Six legitimate reason to process your data
At least one of the following lawful bases set out in Article 6 of GDPR must apply whenever an organisation processes your personal data:
- Consent clear consent to process personal data for a specific purpose.
- Contract the processing is necessary for the completion of a contract between the organisation and the individual.
- Legal obligation the processing is necessary to comply with the law.
- Vital interests the processing is necessary to protect someone’s life.
- Public task the processing is necessary to perform a task in the public interest or an official function with a clear basis in law.
- Legitimate interests the processing is necessary for the organisations legitimate interests or those of a third party unless there is a good reason to protect the individual’s personal data.
The European Court of Justice has set out a three part test to asses whether data is being processed in line with legitimate interests or not:
- Is there a legitimate interest behind the processing?
- Is the processing necessary for that purpose?
- Is the legitimate interest overridden by the individual’s interests, rights or freedoms?
It must be clear what you’re signing up to
Companies should make it clear what you are signing up for or opting in to, using plain language that’s easy to understand.
The purpose of collecting your personal data (for example, for marketing) must also be made clear to you at the point you make the choice.
Importantly, your positive opt-in shouldn’t later be misused to contact you for anything you didn’t sign up to.
You can ask for data in a format that will help you
If data provided is digitally processed, you’ll have the right to request that data in a machine-readable format and the right to have that transmitted to another data controller.
This right exists if you have provided your personal data to the company and either:
- the company processes that personal data with your consent or in order to fulfil a contract; or
- the processing of your personal data is being carried out by automated means.
In theory, the right to personal data portability will allow you to move, copy or transfer personal data more easily from one IT environment to another in a safer and more secure way.
This also enables you to take advantage of applications and services such as price comparison websites, which can use this data to find you a better deal.
For example, the best energy provider to switch to, getting a competitive broadband package or finding the best mortgage deals through price comparison websites.
You can opt out of profiling
You now have the right to opt out of activity from online retailers and companies, including profiling used for direct marketing purposes.
Companies must inform you of your right to object at the point of first communication and in their privacy notice, and must stop processing your personal data as soon as they receive an objection.
For many purposes, you would want companies to continue handling personal information to perform the tasks you need them to.
Appeal automated decisions
GDPR gives you the right to object to solely automated decision making. Some decisions (such as online credit or e-recruiting) are also be subject to additional controls.
When you object you can ask for a human to review that decision, but it doesn't necessarily mean the result will be any different.
Read our guide for more information on how automated decision making and profiling work, including what you can do to stop it.
Serious data breaches
If there is a serious breach of your data, you have to be told right away. The GDPR introduced a duty on all organisations to report certain types of serious personal data breaches to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of it, where feasible.
If there has been a breach, the company should explain to you, in clear and plain language, the nature of the personal data breach and, at least:
- the name and contact details of its data protection officer or other contact point that can provide more information
- a description of the likely consequences of the personal data breach
- a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, the measures taken to mitigate any possible adverse effects.
The ICO has the power to compel companies to inform affected individuals if it considers there is a high risk, where the company hasn’t.
Take these steps to protect yourself and make a compensation claim if you become aware that an organisation has lost your data.
Huge fines for companies if they break the rules
In the most exceptionally severe cases where companies have breached the new rules, the ICO could issues fines up to €20m or 4% of annual global revenue – whichever is higher.
But GDPR is not about issuing big fines, and it's unlikely ICO will stray far from the size of fines it's issued in the past.
Previously, the highest fine that could be levied was £500,000.
Multiple routes to claim compensation
You can make a claim for a misuse of your data and get compensation for both material and non-material damage including, but not limited to, distress and reputational damage.
The GDPR broadened who you can make a claim against, and you claim against the data processor, as well as the data controller.
For example, previously you wouldn’t have been able to claim against a misuse of your personal data by a call centre acting as a processor. Instead you would have had to find out who the data processor was handling the data for and make a claim against the controller. But now you can make a claim against both.
Compensation can be claimed for the breach, financial losses and also any distress caused. While you can take both to court, you can only win once.
Find your data - subject access requests
The right to make a subject access request existed under the former Data Protection Act 1998.
A subject access request allows you to act on your right to obtain access to your personal data held by a company.
Previously you had to pay a small fee to make one, but under the Data Protection Act 2018, it now has to be free of charge.
You might make a subject access request if you think that a company is not processing your data lawfully.
Companies have to provide you with the information without delay and at the latest within one month of receiving your request.
This is shorter than the previous 40-day timeframe. However, companies are allowed to extend the period by a further two months if the request is complex or numerous.
If this is the case, the company must inform you within a month from the date you made the request and explain why the extension is necessary.
A word of warning, if your request is unfounded or excessive, the controller of the data may still charge a fee or refuse to act on the request.