We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies as per our policy which also explains how to change your preferences.

Seven ways GDPR will strengthen your data protection rights

Regulatory upheaval giving us more control over our data is only one month away - what does it all mean?

On 25 May the General Data Protection Regulation (GDPR) will be applicable across the EU, strengthening consumer rights around personal data and the way companies must handle it.

In the UK, the GDPR will be incorporated into the Data Protection Act 2018 – the Bill is currently going through Parliament.

It builds on the current 1998 Data Protection Act and will strengthen the legislation, giving you more rights and protections.

Your data – and what companies do with it – has barely been out of the news this year, as a series of revelations have worried many consumers – including the use of Facebook data for political profiling.

Here, we explain all the main changes that give you more control over your data, and how they are likely to affect you.

1. Your consent will need to be active

Under GDPR it will be down to you to make a positive ‘active’ choice to agree to further direct marketing communications, such as ticking a box or agreeing over the phone.

All companies will also have to provide you with the option to opt out at the time your data is collected and in all future communications.

2. It must be clear what you’re signing up to

Companies have to tell you specifically what you’re signing up for or opting in to – vague or blanket consent is no longer good enough.

The purpose for requesting your data and who it will be shared with must be clearly stated at the point you make the choice.

Importantly, your positive opt-in shouldn’t later be used for anything you didn’t sign up to.

3. You can ask for data in a format that will help you

GDPR introduces the right to data portability. That means you can ask for your data from a company in a machine-readable format that enables you to reuse it, for instance in helping you get a better energy deal.

4. You can opt out of profiling

Companies must inform you of your right to object at the point of first communication and in their privacy notice, and must stop processing your personal data as soon as they receive an objection.

For many purposes, you would want companies to continue handling personal information to perform the tasks you need them to.

5. Appeal automated decisions made using your data

Companies often use algorithms to make decisions automatically about some issues, such as an online decision to award a loan or in a recruitment aptitude test.

This analysis reveals links between your different behaviours and characteristics to create a personalised profile of your preferences.

That information might be to award you a loan (or to reject your application) or in screening an application for a job.

Once GDPR is adopted, you can object to solely automated decision making, and some of these decisions (such as online credit or e-recruiting) will be subject to additional controls.

Man with hand up saying no to marketing icons

6. Serious data breaches

If there is a serious breach of your data, you have to be told as soon as possible. The company should explain to you, in clear and plain language, the nature of the personal data breach and, at least:

  • the name and contact details of its data protection officer or other contact point that can provide more information;
  • a description of the likely consequences of the personal data breach; and
  • a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, the measures taken to mitigate any possible adverse effects.

The ICO has the power to compel companies to inform affected individuals if it considers there is a high risk, where the company hasn’t.


7. More routes to getting compensation

You also now have more opportunities to make a claim for a misuse of your data and get compensation for both material and non-material damage including, but not limited to, distress and reputational damage.

The GDPR update also broadens who you can make a claim against, enabling you to claim against the data processor, as well as the data controller.

Compensation can be claimed for the breach, financial losses and also any distress caused. While you can take both the processor and the controller to court, you can only win once.

Which? calls for collective compensation

Which? is calling for an amendment to the Data Protection Bill to include collective redress. This would allow independent organisations acting in the public interest, such as Which?, to act as a representative on behalf of groups of affected consumers.

Collective redress would mean consumers wouldn’t need to sign up to an action to get quick, easy and cheap access to justice when they experience a financial loss following a data breach.

 

Back to top
Back to top