On 25 May the General Data Protection Regulation (GDPR) will be applicable across the EU, strengthening consumer rights around personal data and the way companies must handle it.
In the UK, the GDPR will be incorporated into the Data Protection Act 2018 – the Bill is currently going through Parliament.
It builds on the current 1998 Data Protection Act and will strengthen the legislation, giving you more rights and protections.
Your data – and what companies do with it – has barely been out of the news this year, as a series of revelations have worried many consumers – including the use of Facebook data for political profiling.
- If you want to control what information you give the social network or delete your account, you can follow our five steps to managing your Facebook data and ad preferences.
Here, we explain all the main changes that give you more control over your data, and how they are likely to affect you.
1. Your consent will need to be active
Under GDPR it will be down to you to make a positive ‘active’ choice to agree to further direct marketing communications, such as ticking a box or agreeing over the phone.
All companies will also have to provide you with the option to opt out at the time your data is collected and in all future communications.
- If you want companies to stop using your data, make a request to an organisation to stop processing your data for the purposes of direct marketing.
2. It must be clear what you’re signing up to
Companies have to tell you specifically what you’re signing up for or opting in to – vague or blanket consent is no longer good enough.
The purpose for requesting your data and who it will be shared with must be clearly stated at the point you make the choice.
Importantly, your positive opt-in shouldn’t later be used for anything you didn’t sign up to.
3. You can ask for data in a format that will help you
GDPR introduces the right to data portability. That means you can ask for your data from a company in a machine-readable format that enables you to reuse it, for instance in helping you get a better energy deal.
4. You can opt out of profiling
Companies must inform you of your right to object at the point of first communication and in their privacy notice, and must stop processing your personal data as soon as they receive an objection.
For many purposes, you would want companies to continue handling personal information to perform the tasks you need them to.
5. Appeal automated decisions made using your data
Companies often use algorithms to make decisions automatically about some issues, such as an online decision to award a loan or in a recruitment aptitude test.
This analysis reveals links between your different behaviours and characteristics to create a personalised profile of your preferences.
That information might be to award you a loan (or to reject your application) or in screening an application for a job.
Once GDPR is adopted, you can object to solely automated decision making, and some of these decisions (such as online credit or e-recruiting) will be subject to additional controls.
6. Serious data breaches
If there is a serious breach of your data, you have to be told as soon as possible. The company should explain to you, in clear and plain language, the nature of the personal data breach and, at least:
- the name and contact details of its data protection officer or other contact point that can provide more information;
- a description of the likely consequences of the personal data breach; and
- a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, the measures taken to mitigate any possible adverse effects.
The ICO has the power to compel companies to inform affected individuals if it considers there is a high risk, where the company hasn’t.
- Take these steps to protect yourself and make a compensation claim if you become aware that an organisation has lost your data.
7. More routes to getting compensation
You also now have more opportunities to make a claim for a misuse of your data and get compensation for both material and non-material damage including, but not limited to, distress and reputational damage.
The GDPR update also broadens who you can make a claim against, enabling you to claim against the data processor, as well as the data controller.
Compensation can be claimed for the breach, financial losses and also any distress caused. While you can take both the processor and the controller to court, you can only win once.
Which? calls for collective compensation
Which? is calling for an amendment to the Data Protection Bill to include collective redress. This would allow independent organisations acting in the public interest, such as Which?, to act as a representative on behalf of groups of affected consumers.
Collective redress would mean consumers wouldn’t need to sign up to an action to get quick, easy and cheap access to justice when they experience a financial loss following a data breach.
- Read more on how GDPR strengthens your personal data rights, including the way companies handle your data and redress for misuse of that data.
- Read our Data Protection Act guide for more on the existing regulations.