With just days to go until the General Data Protection Regulation (GDPR) becomes enforceable. Large companies, small businesses and indeed any organisation who holds personal data on individuals are busy gaining our consent for marketing and evaluating the data they have about us.
What is Personal Data?
Today personal data is used in everything from sales, when we purchase from a business or use a service to customer relationship management systems to marketing. This might include your name, address, and date of birth, indeed any data, which is capable of identifying a living individual, is called ‘personal data’. It also includes paper records as well as and online information.
But have you ever stopped and thought about what a particular organisation holds about you and how you can find out this?
The Data Protection Act 1998
Well even before anyone heard of the GDPR, we’ve always been able to access and find out what information an organisation has about us, under the Data Protection Act (DPA). By writing to the a company you can ask for the information they hold and they are legally required to inform you.
There are a few exceptions to this rule, when information can be withheld. If the information is about the prevention, detection or investigation of a crime, a matter of security or the armed forces or the assessment or collection of tax are a few examples. Under the Data Protection Act, organisations can charge you for providing the information, which is usually no more than £10.
How is GDPR Different?
From 25thMay 2018, under the GDPR you’ll be able to make a subject access request and in most cases this will be free of charge. You can make this request verbally or in writing and the organisation has one month from receipt of your request to respond. Once you receive this information you can have any inaccurate personal data amended, or added to if its incomplete. The GDPR also introduces a right for individuals to have personal data erased, known as ‘the right to be forgotten’, although it is not absolute and only applies in certain circumstances.
Exercising the right to object to direct marketing will be easier under GDPR. You’ve probably noticed a few emails in your inbox from companies wanting to stay in touch after the 25thMay. They now require your consent to market you, which means you agree to be contacted and tick a box that makes it clear what you’re agreeing to.
The personal data that many organisations hold on us is essential to daily life, such as councils, doctors or hospital records, but it will now be easier for individuals to select what they receive from companies and to unsubscribe to those they no longer require or want to receive. Consent means offering people genuine choice and control over how their data is used.
The Information Commissioner’s Office (ICA) who are responsible for GDPR state ‘Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.’
It’s important to note that GDPR adds to, rather than alters, consumer rights and protections. GDPR will build on the Data Protection Act and strengthen your personal data rights and give you more control over how and what organisations store about you.