We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.


When you click on a retailer link on our site, we may earn affiliate commission to help fund our not-for-profit mission.Find out more.

25 May 2018

New GDPR data protection law applies to the UK from today - but what does it mean?

As GDPR comes into force, Which? explains six of the new rules you need to know

The General Data Protection Act (GDPR) comes into force today giving everyone in theUK and across the EU clearer control of the personal data organisations hold about us.

'We've updated our privacy policy.' 'Let's stay in touch.' 'Want to keep hearing from us?'

We've all received emails from companies asking to stay in touch with us for weeks now, but why is it happening?

New data protection rules introduced by GDPR, are now applicable across the EU and have been incorporated into UK law as the Data Protection Act 2018.

The changes GDPR has brought build on the previous 1998 Data Protection Act, giving you more rights and protections around your personal data.

GDPR gives you more control

Which? consumer rights expert Adam French said: 'GDPR will strengthen your personal data rights, including the way companies handle your data and redress for misuse of that data.

'Companies will need to tell you exactly what you're signing up for and you will have more control when it comes to opting out of future marketing emails.

'You will also have more opportunities to make a claim for damage caused by the misuse of your data.'

We explain six of the new rules, and what they mean for you.

1. In most cases companies will need your active consent

To send marketing material to you by email, companies will usually need to demonstrate that they have your consent to do so, and that the consent meets the required standard set out by GDPR.

This why many of us have received a flurry of emails, forms and other communications over the last month asking us to review our privacy settings.

Some companies will already have GDPR compliant forms of marketing consent. Other companies may not need to rely on consent for marketing communications.

If you don't update your preferences or actively opt-in, many companies may assume you don't want to continue receiving further communications and will remove you from their databases.

Withdrawing your consent should be as easy as giving it. Companies should make it easy for you to do so, for example by providing an unsubscribe link at the bottom of all of their marketing emails.

2. Is it clear what you're signing up to?

Companies have to clearly explain what you're signing up for or opting in to at the point you're presented with the choice.

Your positive opt-in is based on the information presented to you at the time, so it shouldn't later be used for anything you didn't sign up to.

3. You can request data in a format that will help you

You have the new right to data portability under the GDPR, which means you can ask for your data from a company in a machine-readable format.

This is not an absolute right - it only applies to personal data you've already provided to a company where either the processing is based on consent or on a contract, or the processing is carried out by automated means.

This will enable you to reuse your data - for instance, it could help you get a better energy deal if you upload your usage data to a switching service.

4. Find out what data an organisation holds on you - for free

Under the new regulations, you have the right to access the personal data of yours an organisation processes - this is called aSubject Access Request (SAR) - as well as requesting the information is deleted if you want. The right is not absolute and only applies in certain circumstances.

Previously you may have had to pay £10 for a Subject Access Request, which the GDPR has scrapped.

Requests for personal information a company holds on you must be responded to within one month, with some allowances for extensions.

A word of warning, if your request is unfounded or excessive, the controller of the data may still charge a fee or refuse to act on the request.

5. Your rights when there's a serious data breach

If a business has a security breach in the UK resulting in the loss of your data, you have to be told as soon as possible.

The company should explain to you the nature of the personal data breach and who to contact.

Companies also need to notify the Information Commissioner's Office within 72 hours to report the breach.

6. More routes to getting compensation

You also now have more opportunities to make a compensation claim for a misuse of your data.

You can now make a claim against the data processor, as well as the data controller, but can only win once from one.

You're able to claim compensation for both material and non-material damage, which includes distress and reputational damage.