Anyone who has subscribed to an online newsletter or used any online service will have heard about new privacy policies, and the new legislation in the form of the General Data Protection Regulation, or GDPR. A very large number of companies, including Solidarity IT, sent out emails asking people to re-subscribe to their newsletters.
For the companies themselves, the changes have been significant, due to the new guidelines for documentation. For customers the changes are subtle enough that if it wasn’t for the new privacy policies and subscriptions to renew, they might not have realised anything changed at all. So here’s a few pointers to understand the basics of GDPR, and how it affects customers.
How the GDPR helps strengthen your rights
GDPR standardizes data protection across the whole of Europe
GDPR doesn’t just cover Britain, it covers the whole of Europe and affects companies that have offices in Europe. This helps reduce confusion from dealing with differences in law between countries.
GDPR enforcement has teeth
Failing to comply with the GDPR can result in fines of up to £17.5m, or 4% of company annual turnover. That shows how serious these new regulations are. The law is meant to ensure that companies can’t afford to ignore the safety of their customer data.
If something goes wrong, the response has to be fast
All breaches of personal data have to be reported, within 72 hours. A breach is defined as any situation where data about an individual is likely to have been seen by someone who isn’t supposed to access that data. Companies are required to have plans in case of such an incident.
The rights you have under GDPR
The right to be informed
You have the right to know when people are collecting data about you, and what that data is being used for. You have the right to know how long that data will be kept for and where.
The right of access
You can make a request to see what information is being held about you, and this request has to be honoured within a month. Previous data protection laws allowed companies to charge for this, but under GDPR, it must be provided for free.
The right to rectification
You have the right to request to have inaccurate or incomplete information corrected. Requests must be fulfilled within a month of being made.
The right to erasure
Also known as the right to be forgotten, you can request to have information stored about you deleted. As with other requests regarding information about you, the company has one month to comply.
The right to restrict processing
You have the right to request that information about you is restricted, meaning that the company cannot use it, even if they are still storing it. One month to respond as usual.
The right to data portability
You have the right to obtain a copy of your data that you can then transfer to another organisation.
The right to object
You can make an objection to having information about you being processed by an organisation. This always applies in the case of marketing. A response must be made within the standard one month time limit.
Rights in relation to automated decision making and profiling
You have the right to know if your information is to be used in automated decision making, and the right to request human involvement in a decision or request that an automated decision be challenged.
Reasons for exemptions
Individual rights may be limited if a company can prove that they have a legitimate reason for doing so. These circumstances generally cover issues of security and the protection of others.
The information provided here is intended as a basic introduction, and further information can be found from the Information Commissioner’s Office website.