Your data, your say – understanding the General Data Protection Regulation

The EU assures us that individuals’ rights are the heart of the new General Data Protection Regulation (GDPR).

So what does GDPR mean for consumers?

As organisations of all sizes gradually get to grips with the changes to data protection legislation, at the core of any policy reviews will be how best to manage our personal details.

Those who control and process data will have increased accountability from May 2018 for how, where and why information about individuals is being stored and used.

There are some significant changes to the 1998 Data Protection Act – essentially greater levels of transparency from the controllers and processors of your personal details.

In addition to this, your information must be presented in an accessible and easy-to-understand format.

The key differences between the Data Protection Act 1998 and the General Data Protection Regulation 2018 are:

Data Protection Act (DPA) 1998 General Data Protection Regulation (GDPR) 2018
Time limit to comply with requests to access  your data40 days1 month
Cost to access your data£10.00Free (in most cases)
The nature of consentNegative opt out (e.g. tick here if you don’t wish to…)Explicit consent must be given (unless another legal basis for processing exists)
Geographical impactOnly applies to UKApplies to EU and any global organisation which holds the data of an EU citizen
Children’s data (likely to mean anyone under the age of 13)Consent required but less explicitExplicit consent must be provided by parent or guardian of child
Your right to data removalNo legal requirement to delete data’Right to Erasure’ of all data held
Privacy Impact AssessmentsNot compulsory Compulsory to ensure organisations understand the potential risks to customers’ data
Privacy Notices (see below) Outlines the rights of customersClear and explicit details which must be provided before collecting personal data

GDPR Privacy Notices

Privacy Notices, the information issued to consumers by organisations about your rights, have some important revisions to the 1998 Data Protection Act.

Organisations will need to include, among others, the following in their Privacy Notices:

  • Why your data is being collected and processed
  • Your right to object to your data being used
  • Your right to restrict use of your data
  • The legal reasons for processing and by whom it will be used
  • How long they plan to store your data
  • Your right to withdraw consent
  • Notification if your data is to be transferred outside the European Economic Area
  • Your right to data portability (ie. your right to move data between organisations)

Overall, EU citizens will have greater control over their personal data. The regulations were developed to harmonise laws across member states and make individuals’ access to their data easier. Whether this will prove to be the case, remains to be seen. And although Britain is in the process of negotiating its departure from the EU, for the foreseeable future, Britain will be subject to the GDPR.