The General Data Protection Regulation, or GDPR, was enacted in the UK in May 2018, bringing much-needed clarity and oversight into how websites collect and use user data. For consumers, the legislation marks a significant step forward in what companies are able to learn about their website visitors, along with your rights on how you can protect your data online. The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).
Here’s what happened when GDPR went into effect and how it affects you as a digital consumer.
Subject Access Requests are Now Free
A subject access request allows you to obtain your own data from the company using it. This was a right under the former Data Protection Act in 1998, but you had to pay a small fee. With GDPR, you have a right to access this data for free in most cases.
You might initiate a subject access request if you believe a company is using your data unlawfully, or simply to see what data they’ve collected.
Once initiated, the company must provide a response within 30 days of your request (in the past, this window was 40 days). However, companies do have a write to request an extension of up to two months and must inform you prior to the close of the 30-day window. Extensions are usually requested with complex or numerous requests.
Websites Will Still Collect Personal Data
Anytime you visit a website, the website collects data on your session. When you make a purchase, the website collects even more data, such as your name, address, phone number, and other personal details
Under GDPR, companies will still collect information, but IP addresses and other online identifiers have been added to the definition of personal data.
Regardless of the data they collect, companies must disclose to you why and how they plan to use your data (including for marketing purposes), in plain language.
There are major fines for companies who break the rules — up to €20M or 4% of annual global income, whichever is greater.
Your Consent is Needed to Receive Marketing Messages
If companies plan to use your data for marketing purposes, you will need to consent to their request. Under GDPR, you will have to initiate your desire to receive further communications, such as ticking an opt-in box for email.
An exception to this rule is when you do business with a company, such as making a purchase, and do not opt out of receiving marketing messages.
The new rules state that opting out of marketing should be as easy as opting in. Companies should give you an easy way to cease marketing communications.
When Companies Need to Process Your Personal Data
According to GDPR, companies need a viable, logical reason to collect and process your data. Under Article 6, the purpose must meet at least one of the following requirements:
- Consent – You have agreed to allow the company to process your data for one or more specific purposes.
- Contract – The company must process your data to fulfill a contractual obligation you’re involved in.
- Legitimate Interests – Data processing is necessary to pursue the organisation’s legitimate interests or the interests of a third party, except under circumstances where data protections override said interests.
- Legal Fulfillment – Data processing is required to fulfill a legal obligation of which the organisation is subject to.
- Public Interests – Data processing is necessary to align with public interests.
- Vital Interests – Data processing is required to protect the vital interests of you or another person.
The Information Commissioner’s Office uses a three-part test to verify purpose:
- Is the company pursuing a legitimate interest?
- Is data processing necessary for this purpose?
- Do your interests override the company’s legitimate interest?
Companies Must Give You More Control Over Your Data
Under the GDPR laws, you now have more control over how your data is used, and by whom. For starters, you can request your data to be erased or forgotten, either by a verbal or written request, with very few exceptions. Likewise, you can also ask for incorrect information to be corrected.
Consumers now have the right to object against their data being used by online retailers for profiling for direct marketing purposes. Companies are required to inform you of this right at the first point of communication.
You can appeal automated decisions, such as those pertaining to credit or online job recruiting, in certain circumstances. What’s more, companies must notify you immediately if they experience a data breach that may affect you. They are required to explain in plain language the details of the breach and provide you with the following:
- The point of contact for the company’s data protection, including a name and phone number
- A description of the potential impact of the data breach
- Details of the steps being taken by the company to mitigate the fallout of the breach
In the event a company does not comply with GDPR and it affects your personal data, you may be able to make a claim for compensation.
For the most part GDPR will not change the way you browse and interact with websites. Rather, the move is to place a higher accountability on website owners for protecting your data and only processing it when necessary. The more you know about your rights as a consumer, the better chance you have of protecting yourself.
Find out more in the Information Commissioner’s website