There’s a lot of talk at the moment about The General Data Protection Regulation (GDPR) which came in to effect on the 25th May.

A lot of articles are focused on companies being compliant so I wanted to write something that would help the consumers understand what the change means to them.

The GDPR applies to to ‘controllers’ and ‘processors’ of personal data. It was created to replace the current Data Protection Act (DPA) with the aim to unify data regulations within the EU while at the same time giving people greater control over their personal information.

Let’s face it, we all receive unsolicited emails and phone calls and this is due to how companies share or sell our contact information.  It has got better where reputable companies do actually specify how your data is used and ask you to ‘tick’ boxes to give them permission.

In simple terms companies now have to comply with the principles of fair processing and these are in Article 5.  The key points are summarised below:

  • Be transparent in relation to the data subject
  • Tell the data subject what they are collecting the data for – they must be specific about the legitimate purposes of the business and the data used
  • Only collect what they need for the legitimate purposes of data usage
  • Keep the personal data up to date and accurate – inaccurate data must be deleted or rectified
  • Kept in a form that allows identification of the data subject for no longer than necessary for the legitimate purposes notified to the data subject
  • Keep the data secure.

A key part of the regulation is that it requires consent to be given by the individual whose data is held. The definition of consent in this situation means “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed” (what a mouthful!).

Legislation now stipulates that individuals must be able to withdraw consent at any time and have a right to be forgotten; if their data is no longer required for the reasons for which it was collected, it must be erased.

When a company obtains data from an individual, some of the areas that must be made clear are:

  • The identity and contact details of the organisation
  • The purpose of acquiring the data and how it will be used
  • Whether the data will be transferred internationally
  • The period for which the data will be stored
  • The right to access, rectify or erase the data
  • The right to withdraw consent at any time
  • The right to lodge a complaint.

Because of this introduction you are entitled to full access to the information stored about you, and how that data is processed.  This information should be available in a clear and understandable way.

What personal information are you entitled to request?

Under the GDPR, individuals will have the right to obtain:

  • confirmation that their data is being processed;
  • access to their personal data; and other supplementary information – this largely corresponds to the information that should be provided in a privacy notice (see Article 15).
  • What is the purpose of the right of access under GDPR?
  • The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing (Recital 63).

Can a company charge a fee for dealing with personal information access request?

A company must provide a copy of the information free of charge. However, they can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.

A company may also charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that they can charge for all subsequent access requests.

Any fee must be based on the administrative cost of providing the information.

How long does a company have to comply?

The information must be provided without delay and at the latest within one month of receipt.

The company will be able to extend the period of compliance by a further two months where requests are complex and/or numerous. If this is the case, you must be informed within one month of the receipt of the request and be provided an explanation as to why the extension is necessary.

What if your request is manifestly unfounded or excessive?

Where a request is found to be manifestly unfounded or excessive, in particular because it is repetitive, a company can:

  • charge a reasonable fee taking into account the administrative costs of providing the information; or refuse to respond.
  • When a company refuses to respond to a request, they must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.

How should the information be provided?

Your identity must first be verified using ‘reasonable means’.

If the request is made electronically, the information should be provided in a commonly used electronic format.

The GDPR includes a best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information (Recital 63). This will not be appropriate for all organisations so the way you receive your data will vary.

To surmise:

It’s a lot to process but the aim is to give you more control over your data and the information that is stored by a organisation and how it is used. This will hopefully stop or reduce the abuse and sharing of this data and in the long run stop those annoying unsolicited emails and phone calls that originate from within the EU/UK.

BUT, and it’s a big but, please don’t get your hopes up when it comes to annoying phishing/services/dating/bitcoin spam as they are usually sent from services and/or countries that will not regulate the selling or sharing of data.  The bottom line is if you are receiving this type of spam now then you will probably continue to do so.

In our case in relation to contractors, it is how we use your data so we can process your payroll and will only be used for specific, explicit and legitimate purposes.  Always make sure when physically or digitally signing any contract that you pay attention to any information that pertains to your data and how it is used.

Note: most of this information was gathered from various sources on the web with my main source being ICO (Information Commissioners Office) which is a good place to start if you wish to make a claim.