Tough new data protection rules – called GDPR – will come into force on May 25 across Europe, including here in the UK. These new regulations will dramatically change how companies collect, store and reuse your personal data.
They have to tell you how they are using the information you have provided. You also have the right to ask that the company deletes your data.
The rules are known as the General Data Protection Regulation, and govern the collection and processing of personal data of any person currently residing within the European Union or the larger European Economic Area (EEA). GDPR comes into effect on May 25, 2018. As Britain is still part of the EU, the GDPR regime will be law here as well – and even if we leave the EU, our own Data Protection Bill that emulates most of the key features of GDPR will soon be signed into UK law.
What does GDPR mean for me?
You will most likely have been receiving letters and emails from companies asking if they can stay in contact with you.
In order for them to continue contacting you after May 25, you have to give permission for them to do so freely giving your consent. It’s not enough for a firm to email you asking for permission, and then claiming that a lack of response meant you had tacitly agreed.
They have to keep a record of when you agreed. That’s why you may find that newsletters and websites that you have visited long ago are asking you to confirm that you wish to continue with your subscription.
Will GDPR affect my bank and credit card company?
Under the GDPR rules, companies will be allowed to continue to contact you and hold your data if you have a contract with them, says John Greenwood, executive director of Compliance3 Limited, a company which helps prevent payment and personal data fraud.
Other financial services companies with whom you have a relationship, for example your insurance provider, might send you updated terms and conditions, but they don’t have to expressly ask for your consent to stay in touch.
Companies which don’t have a relationship with you, and who are competing strongly for your custom, might provide an incentive for you to stay in touch, Greenwood says.
“I have seen in the gaming industry that there are incentives for customers in the form of free plays, or retailers who offer clubs for customers to join to get special deals,” he says.
After Brexit, the rules will not change, because any company trading with European citizens has to abide by this legislation.
“For the UK to trade with Europe it has to have ‘equivalent data protection’. This means that anyone who trades with EU citizens has to have the same protections, and since around 40% of our trade is with Europe, UK companies will have to abide by the same rules.”
Credit reference agencies are still allowed to use your data and share it, but you can request your file for free under the new laws. The agency must give you the information you request within 30 days, including details of any third parties they have shared your data with. If not, they are breaking the law.
Will GDPR give me more control over my personal information?
Yes. Companies must tell you how they are using the data they collect and must allow you to have it deleted. They can’t keep contacting you unless you’ve given explicit permission for them to do so.
Each company must have a Data Protection Officer who is responsible for protecting your data and reporting any breaches.
The rules are tough. If a company doesn’t follow the rules or doesn’t report a data breach in the allotted time, they will be fined.
The maximum fine is €20 million or 4% (whichever is greater) of the company’s annual turnover for the most serious offences, and €10 million or 2% (whichever is greater) of the company’s annual turnover for other offences.
What are my data protection rights with GDPR?
The new rules give consumers much more control over what happens to their data. The full scope of GDPR is vast, but here are the key points:
- You have the right to see what information is held about you. You can ask what data a company holds and they must provide you with a copy of what is in their database about you.
- You have the right to erasure. If you no longer do business with a company, or you don’t want them to use your personal data, you have the right to have that information deleted. This is also known as the “right to be forgotten”.
- You must be notified of significant data breaches. If a company knows or suspects your personal data may have been leaked or stolen, you must be told about this within 72 hours of the breach happening. The company must also notify the Information Commissioner’s Office (ICO) within that time frame as well.
Some other rights include the right to rectification (all stored personal data about you must be correct); the right to data portability (you should be able to easily transfer your data from one system to another); and rights to know when and how automated decisions are made about you (when applying for a credit card, for example). To learn more, check the ICO’s GDPR website.
There are some exceptions to these rights. If, for example, you have signed a contract and have given your insurance company permission to contact you again when your policy comes up for renewal, they will be able to do so.
A new era
Patrick O’Kane, a barrister and in-house data protection officer, who has written a book on the subject, called GDPR:fixitfast, says: “In the past, large and small banks often did what they wanted with our personal information (‘data’). We often didn’t know what was happening behind the veil and we largely left them to it.
“The GDPR coming into force on May 25 is like a new sheriff coming into town. The ‘Wild West’ days, when financial institutions and companies played fast and loose with our data, are over. We also have more rights over our data including the right, in some cases, to take all our data from our bank or mortgage and move it to a new service provider. There are stricter rules too around keeping our information safe.”
He said banks and companies that process the personal data of EU residents when providing financial services are now subject to the GDPR’s new rules – wherever in the world those companies are based.
UK Finance, which represents nearly 300 of the leading firms providing finance, banking, markets and payments-related services in or from the UK, said one effect would be that websites would have more detailed privacy notices.
Customers will have better access to information about who their personal data has been shared with, and will be able to request that inaccuracies in data about them are corrected, it said.