General Data Protection Regulation – GDPR
What is GDPR and why do we need it?
As technology develops and our private data is being used and shared in countless new ways, people are understandably becoming increasingly worried about security.
There are two key reasons why GDPR is being introduced – to bring all EU member states under one common regulation, and to update regulations to reflect our new digital age.
Different countries in the EU follow different rules and regulations when it comes to data sharing and privacy, which can get quite confusing when data is being shared between people and companies in different countries. GDPR will be enforced across all 28 EU member states, meaning everyone is following the same rules!
In the UK, companies and charities are still following the 1998 Data Protection Act to ensure the safety of people’s data. But technology and data sharing has developed a lot since 1998. This means that the current regulation may not be entirely suitable for the needs of consumers and the types of technology we’re seeing today. GDPR will replace the Data Protection Act to better protect our data from breaches and hacks.
What data does it protect?
When people talk about technology and digital developments, there’s always a focus on data. But what data do they mean? GDPR aims to protect any personal data a company or charity holds about you – including your name, address, email address, images, social networking accounts, IP address or medical history.
It will also cover more sensitive data such as your sexual orientation, your genetics, your political views or any trade union memberships.
How will it affect UK businesses and charities?
Essentially, GDPR will affect everyone in all 28 EU member states, from businesses and charities big and small, to customers and consumers.
When it comes to implementing GDPR, the biggest changes will be seen by businesses rather than consumers – since they’re the ones who will have to adjust the way they handle data to align with the new legislation.
There are hefty penalties for those who don’t comply, including a fine of up to €20 million or 4% of the company’s total profit. Any data breach also needs to be reported to the relevant authorities within 72 hours, and if there’s a risk involved to the data subject (i.e the people the data concerns) they’ll have to inform their customers too.
How will GDPR affect me?
While businesses and charities will have to make changes to their data policies in preparation for the new regulations, consumers don’t have to do anything in particular to prepare.
That said, individual consumers will probably still notice some changes. You’ll probably find that when you buy products online or sign up to newsletters, there will be more obvious checkboxes relating to how the company can use your data – for example to send you emails, or share data with a third party.
However, GDPR also gives you a number of ‘rights’ when it comes to your data, including:
The right to be informed – you have a right to know how your data will be used by a company.
The right to access your personal data – you can ask any company to share with you the data they have about you!
The right to rectification – this just means you can update your data if it’s inaccurate or if something is missing.
The right to erasure – this means that you have the right to request that a company deletes any personal data they have about you. There are some exceptions, for example, some information can be held by employers and ex-employers for legal reasons.
The right to restrict processing – if you think there’s something wrong with the data being held about you, or you aren’t sure a company is complying to rules, you can restrict any further use of your data until the problem is resolved.
The right to data portability – this means that if you ask, companies will have to share your data with you in a way that can be read digitally – such as a pdf. This makes it easier to share information with other companies, such as your bank details when applying for a loan.
The right to object – you can object to the ways your data is being used. This should make it easier to avoid unwanted marketing communications and spam from third parties.
Rights in relation to automated decision making and profiling – this protects you in cases where decision are being made about you based entirely on automated processes rather than a human input.
Whether or not you exercise your new rights is up to you – the main thing to remember is that they’re there if you need them.