As technology develops and data sharing becomes more common, data protection is becoming more and more important. That’s why new legislation known as GDPR (General Data Protection Regulation) is being enforced on the 25th May. This will replace the existing Data Protection Act.
1. What is GDPR?
There are two key reasons why GDPR is being introduced – to bring all EU member states under one common regulation, and to update regulations to reflect our new digital age.
Different countries in the EU follow different rules and regulations when it comes to data sharing and privacy, which can get quite confusing when data is being shared between people and companies in different countries. GDPR will be enforced across all 28 EU member states, meaning everyone is following the same rules!
In the UK, companies are still following the 1998 Data Protection Act to ensure the safety of people’s data. But technology and data sharing has developed a lot since 1998. This means that the current regulation may not be entirely suitable for the needs of consumers and the types of technology we’re seeing today. GDPR will replace the Data Protection Act to better protect our data from breaches and hacks.
This is great news, considering huge companies like XBOX, Gmail, Uber and Three all experienced major data breaches last year. In fact, the UK government reports that 46% of all UK businesses have identified at least one data breach or cyber attack in the last 12 months, and that bigger companies (those making a profit of over £2M a year) are the most likely to identify a breach.
2. What data does it protect?
GDPR aims to protect any personal data a company holds about you – including your name, address, email address, images, social networking accounts, IP address or medical history.
It will also cover more sensitive data such as your sexual orientation, your genetics, your political views or any trade union memberships.
Read our Fair Processing Notice for more details on how we use and manage your personal data.
3. How will it affect UK businesses?
GDPR will affect everyone in all 28 EU member states, from businesses big and small, to customers and consumers.
When it comes to implementing GDPR, the biggest changes will be seen by businesses rather than consumers – since they’re the ones who will have to adjust the way they handle data to align with the new legislation.
There are hefty penalties for those who don’t comply, including a fine of up to €20 million or 4% of the company’s total profit. Any data breach also needs to be reported to the relevant authorities within 72 hours, and if there’s a risk involved to the data subject (i.e the people the data concerns) they’ll have to inform their customers too.
4. How will GDPR affect me?
While businesses will have to make changes to their data policies in preparation for the new regulations, consumers don’t have to do anything in particular to prepare.
That said, individual consumers will probably still notice some changes. You’ll probably find that when you buy products online or sign up to newsletters, there will be more obvious checkboxes relating to how the company can use your data – for example to send you emails, or share data with a third party.
However, GDPR also gives you a number of ‘rights’ when it comes to your data, including:
4.1 The right to be informed – you have a right to know how your data will be used by a company.
4.2 The right to access your personal data – you can ask any company to share with you the data they have about you!
4.3 The right to rectification – this just means you can update your data if it’s inaccurate or if something is missing.
4.4 The right to erasure – this means that you have the right to request that a company deletes any personal data they have about you. There are some exceptions, for example, some information can be held by employers and ex-employers for legal reasons.
4.5 The right to restrict processing – if you think there’s something wrong with the data being held about you, or you aren’t sure a company is complying to rules, you can restrict any further use of your data until the problem is resolved.
4.6 The right to data portability – this means that if you ask, companies will have to share your data with you in a way that can be read digitally – such as a pdf. This makes it easier to share information with other companies, such as your bank details when applying for a loan.
4.7 The right to object – you can object to the ways your data is being used. This should make it easier to avoid unwanted marketing communications and spam from third parties.
4.8 Rights in relation to automated decision making and profiling – this protects you in cases where decision are being made about you based entirely on automated processes rather than a human input.
Whether or not you exercise your new rights is up to you – the main thing to remember is that they’re there if you need them.