GDPR and what it means for consumers?
The upcoming General Data Protection Regulation is a term that is heard a lot in the corporate workplace at the moment and businesses are preparing themselves to accommodate the new legislation. Businesses that don’t co-operate or adhere to this new legislation could face big fines issued by the Information Commissioners Office or suffer sever reputational damage.
There is however not nearly as much excitement from citizens of the UK as there is hysteria from within business and we find that particularly odd as this is a major breakthrough for the fundamental civil rights of citizens within the UK. This may be because as a nation, we are disengaged around the topic of personal data and have accepted the fact that we currently struggle to exercise these rights, efficiently manage and control our own personal data.
The GDPR is building on the Data Protection Act which addresses the legal rights that consumers have over their personal details. It grants citizens of the EU and the UK more power and authority over how businesses process their personal data. One of the most significant changes, providing it is not too excessive, is that a person has the right to obtain the information that is held on them and the right to decide how it should be handled moving forward by businesses for absolutely no cost, whereas before there was an administrative fee of £10. Indeed, it was ridiculous to expect a person to pay a fee for something which is ultimately theirs and this often deterred people from making any proactive effort to obtain their information. Another change is that if your personal information was involved in a data breach resulting in your personal details being leaked and potentially obtained by malicious fraudsters, you have to be notified within 72 hours with proposals of how to mitigate the effects.
Under the GDPR we have 8 individual rights that give us control over our personal information. We can submit or exercise these rights in the form of a ‘subject access request’, and this term is the legal jargon organisations and regulators use to define what is essentially – a person (the subject) who has the right to obtain (access) their personal data held by organisations, if they choose to ask (request) for it.
The 8 individual rights and why they are useful to consumers, are as follows;
- The right to be informed – which essentially means that an organisation has to disclose if they hold personal data, why they hold your personal data, how long they keep your personal data for and if they have shared or sold your personal data. This is important to know so you can easily identify who holds your personal data to make an informed decision to on whether they should continue to hold your data. For instance if a company has shared my information with another company that has poor practices regarding personal information or weak security measures, I can begin to make more informed decisions going forward.
- The right to access – which means as a consumer you have the right to access and obtain any information that is held about you. This is particularly important in many situations from obtaining medical records to gathering evidence in cases of escalated complaints.
- The right to rectification – which means that you can request your incomplete or inaccurate details to be updated. This can be important when you have moved address and you need to change it.
- The right to erasure – otherwise known as the right to be forgotten, it means that you can have your personal information completely and permanently deleted by the organisation that holds it. This is important and in relation with being informed, because if a company has shared my information with a third party that operate unethically or insecurely I can request that they delete my information.
- The right to restrict processing – which means you can restrict companies from processing your information even though they still store your information. This is useful when you want to use a service that a company provides but don’t want them to share or sell your information.
- The right to data portability – which allows people to obtain and reuse their information across different services. This can be useful if your switching services from one company to another. For instance if you are switching energy providers, you have the right to transfer your information.
- The right to object – which means you have the right to stop activities that are based upon personal data. This is important if you don’t want to receive marketing but still want to use the services that the company provides.
- The right to challenge automated decisions – which means any decision that has been made about you, where there was no human involvement can be challenged and a decision can be made on a case by case basis by a human. For example, on credit or mortgage applications that are refused and the decision wasn’t made by a human, you can request that decision to be reviewed.
Of course, in some aspects these rights cannot be exercised if they don’t conform to the standards the ICO sets. So if the request is too excessive, an organisation may reject it. If a request exercising the right to be forgotten interferes with the freedom of expression, it may also be rejected. Although the GDPR has granted more authority to individuals, it is still quite difficult to exercise these rights in a lawful manner. None the less we as consumers, still have these rights and should exercise them as liberally as possible. This is why at Mappd (www.getmappd.co.uk), we are doing everything we possibly can to make this tedious and manual process bearable and present our users with an easy and convenient way to utilise the rights granted under the GDPR and take control of our personal data.