The General Data Protection Regulation (GDPR) is a new EU data protection law which aims to give the public more control over information held about them. It comes into effect on 25th May 2018, after which companies must be able to comply with consumers’ requests about their data.
Penalties for not being able to do this could be high, with maximum fines set at €20 million or 4% of global turnover, whichever is higher.
Your consumer rights in a nutshell
According to the Information Commissioner’s Office, the government body that enforces GDPR in the UK, GDPR grants individuals rights regarding:
- Giving consent for data use
- Access to your personal data
- Rectification – correcting errors
- Erasure – deletion of records
- Processing restrictions
- Data portability consent – swapping your data between companies
- Ability to object
- Automated decision making and profiling implications.
Under GDPR you can ask companies questions about the data they hold on you and they should reply. They should also do it freely, unless you ask continually or the work required to give you the information you require is very laborious.
We’ll go into these rights in more detail and strip out some of the jargon.
Giving consent – the right to be informed, and portability
Essentially, companies have to get you to agree to them handling your personal information beforehand. For example, if you sign up for a free gift and there’s a tick-box, already ticked, saying that you agree to have marketing information sent to you, that will be illegal under GDPR.
You must give explicit consent for a company to hold your data. At that time, the company should also tell you how they will use your data.
This may include ‘portability’, where a company may pass on some of your data to another company. For example, an insurance comparison website must be able to pass on some of your contact details (perhaps not your name) and driving history to insurance companies. If they didn’t, they wouldn’t be able to show you any quotes.
Access, rectification and restriction
You can ask companies to show you the information they hold on you, including the record of how and when you gave your consent for it to be used. If the details are wrong, you can correct it.
The right to restrict processing basically means you can ask a company not to use your information, only to hold it. This might be because the information was needed in the past but isn’t now, or the way the information is being used is now illegal.
Erasure and objection
Often referred to as ‘the right to be forgotten’, you can ask companies to delete all the data they hold on you.
Companies do not have to delete your data in certain circumstances though such as if the company needs your data to defend a legal claim or they are prevented by the law from deleting it. They can also refuse if they believe that they are using your data for public health purposes, to exercise the right of freedom of expression or interest, or to be archived in the public interest or for statistical or historical research purposes.
You also have the right to object against any of the above if you consider that a company’s response to your request is not good enough.
Decision making and profiling
A potentially tricky area is the use of consumers’ personal data to make decisions or build profiles about them.
It will prove difficult to police this use of data, for example being turned down for a loan through an online application. In theory, GDPR gives you the right to object to that decision, but as it’s early days yet, it’s not clear how that will be done and whether companies might find ways around it.
Consumers’ rights are stronger
Essentially, you have more power over your personal information under GDPR. You may never use it, but the fact that companies must comply means they are taking more care over your data – and that’s no bad thing.