The EU assures us that individuals’ rights are the heart of the new General Data Protection Regulation (GDPR).
So what does GDPR mean for consumers?
As organisations of all sizes gradually get to grips with the changes to data protection legislation, at the core of any policy reviews will be how best to manage our personal details.
Those who control and process data will have increased accountability from May 2018 for how, where and why information about individuals is being stored and used.
There are some significant changes to the 1998 Data Protection Act – essentially greater levels of transparency from the controllers and processors of your personal details.
In addition to this, your information must be presented in an accessible and easy-to-understand format.
The key differences between the Data Protection Act 1998 and the General Data Protection Regulation 2018 are:
|Data Protection Act (DPA) 1998||General Data Protection Regulation (GDPR) 2018|
|Time limit to comply with requests to access your data||40 days||1 month|
|Cost to access your data||£10.00||Free (in most cases)|
|The nature of consent||Negative opt out (e.g. tick here if you don’t wish to…)||Explicit consent must be given (unless another legal basis for processing exists)|
|Geographical impact||Only applies to UK||Applies to EU and any global organisation which holds the data of an EU citizen|
|Children’s data (likely to mean anyone under the age of 13)||Consent required but less explicit||Explicit consent must be provided by parent or guardian of child|
|Your right to data removal||No legal requirement to delete data||’Right to Erasure’ of all data held|
|Privacy Impact Assessments||Not compulsory||Compulsory to ensure organisations understand the potential risks to customers’ data|
|Privacy Notices (see below)||Outlines the rights of customers||Clear and explicit details which must be provided before collecting personal data|
GDPR Privacy Notices
Privacy Notices, the information issued to consumers by organisations about your rights, have some important revisions to the 1998 Data Protection Act.
Organisations will need to include, among others, the following in their Privacy Notices:
- Why your data is being collected and processed
- Your right to object to your data being used
- Your right to restrict use of your data
- The legal reasons for processing and by whom it will be used
- How long they plan to store your data
- Your right to withdraw consent
- Notification if your data is to be transferred outside the European Economic Area
- Your right to data portability (ie. your right to move data between organisations)
Overall, EU citizens will have greater control over their personal data. The regulations were developed to harmonise laws across member states and make individuals’ access to their data easier. Whether this will prove to be the case, remains to be seen. And although Britain is in the process of negotiating its departure from the EU, for the foreseeable future, Britain will be subject to the GDPR.