From 25 May 2018, the EU's General Data Protection Regulation (GDPR) will give everyone new data privacy rights.
And although the UK is in the process of leaving the EU, the government has announced it will retain the new rules post-Brexit (although the UK may be able to change its stance later).
If you want to take control of the way your data is collected and processed, you’ll need to understand your new rights under GDPR – and what they mean in reality:
- The right to be informed
- The right of access
- The right to data portability
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right object to ‘automated decisions’
The right to be informed
Before they can collect and store your data, organisations must now tell you why they’re doing it, how long they’ll keep it for and who it will be shared with. You’ll also be asked to give your consent before they can send you any marketing messages (so you can probably expect a lot of organisations to contact you before 25 May), and you can withdraw this consent at any time.
The right of access
This means you have clear rights to access your data, free of charge, within a month of your request. This makes it much easier for you to see what data a company has collected about you and why.
The right to data portability
You can also request a copy of your data in a ‘commonly used’ format (which won’t require specialist software to access), to use as you see fit. An example of how this might be used could involve banking products. Banks collect transaction data, and with your own copy of this data you can help price comparison sites more accurately predict which companies can provide you with a cheaper or better service.
The right to rectification
If any data is wrong or incomplete, you can send up-to-date information and an organisation must respond within a month (this can be extended if the information is complex), and forward the updates to everyone they share your data with. This ensures you aren’t misrepresented, and that insurers like AXA can give you the most accurate quotes.
The right to erasure
If you want to stop dealing with an organisation, or your life has changed significantly, GDPR allows you to request that data is deleted. Also known as the ‘right to be forgotten’, this must be followed unless a ‘compelling reason’ can be found to hang on to your information. In future, if you unsubscribe from a service, such as a social media platform, you can request that your personal information is deleted from their databases.
The right to restrict processing
If you’re unsure about an organisation’s behaviour or motives but don’t want to cut all ties, GDPR gives you the ability to tell them to stop using your data without forcing them to delete what they already have. In legal terms, this is called ‘restricting processing’.
The right object to ‘automated decisions’
An ‘automated decision’ is when your data is used to help decide if you’re eligible for products like loans, insurance or mortgages. This rule gives you the right for human intervention if you think you’re being unfairly treated based on these automated decisions, whether that’s being denied a credit card or refused financing on a new car.
If you’re worried about how an organisation is using your data, or suspect they aren’t complying with these rights, contact the Information Commissioner’s Office (ICO). For more information, you can also visit the European Commission's Data protection or the ICO’s Guide to GDPR.