This is a guest post by Sara Williams, an adviser at Citizens Advice who has her own website Debt Camel where she blogs about everything to do with debt and credit ratings. She also guest posted Everything you need to know about Payday loans and Bright ideas for complaining about Brighthouse (& avoiding them in the first place!)
In a month’s time, On 25th May 2018 the General Data Protection Regulation (GDPR) comes into force in Britain and the rest of the EU. This a major change to the rules governing how organisations manage personal data about their customers and employees.
I think it’s all good for consumers. Your existing rights under the Data Protection Act are being clarified and extended, not restricted or watered down, and some dubious marketing practices will now be clearly banned.
What personal information is covered?
The EU GDPR website says this:
“Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
What organisations are covered?
The new regulations apply to all organisations that process or hold data for people living in the UK. This isn’t just companies, it also includes government departments, your local authority, charities, schools, hospitals and GPs. And the organisations don’t have to be based in the UK – it also applies to Google, Amazon, Facebook etc.
Ten ways GDPR will help consumers
1) The GDPR Right of Access means that organisations will no longer be able to charge £10 when you ask them to provide some or all the personal information they hold about you. This is also called making a Subject Access Request. People don’t like paying £10 if they are unsure what they will get, so no fee is good news.
2) You can also access information about your children or someone for whom you have a Lasting Power of Attorney.
3) Before GDPR, credit data was treated differently with the three Credit Reference Agencies (CRA), Experian, Equifax and Call Credit. They are currently allowed to charge you £2 for a copy of your statutory credit report – but GDPR will apply to them to so this will become free. If you have been having a dispute with a lender, say about a default date that they have added, being able to check all three CRA reports without a charge will be very helpful.
4) Organisations will now have to get your explicit consent to adding you to a mailing list. This means you making a positive decision e.g. by ticking a box. The box can’t be pre-ticked online so you may not spot it. And it can’t be misleadingly worded in the negative “Tick here if you do not want to receive information”.
Organisations also have to be clear why they are gathering information from you and what they will use it for. So if they offer a free information booklet or are giving away money off coupons, this doesn’t mean that they can automatically add you to their mailing list – you have to clearly agree to that.
5) Organisations can’t share or sell your personal information unless you explicitly consent to this. No longer can this buried away in the Terms & Conditions. I can’t think why anyone would ever actually want to consent!
6) The GDPR Right To Object means you have to be given an easy to way to change your mind and opt out of marketing communications in future, both by email and by post.
7) The GDPR Right to Rectification means that an organisation must correct inaccurate data without delay.
8) The GDPR Right to Erasure means you may have a right to get your personal data deleted. This depends on why that data is being held. If it is just for marketing, it should be deleted when you ask for this. But a bank which has given you a loan or a shop that sold you a washing machine will have legitimate reasons to retain this information for a period.
9) Personal data breaches have to be notified to the supervisory authority (typically the ICO) within 72 hours unless they are minor, in which case they have to be documented, including the reason for not reporting them. This would include when personal information is sent to the wrong person, if a laptop containing personal data is left on a train or stolen, or if a hacker managed to download or alter personal data. High risk breaches have to be notified to the persons whose data has been affected without undue delay.
10) An organisation can face fines of up to €20million (£17million in the UK) or 4% of their annual global turnover, whichever is larger. Ouch! That is a huge amount more than the current maximum fine of £500,000 under the old Data Protection Act.
I have only highlighted some points here. The ICO site has lots of information about personal data situations. If you want to know how your personal information should be handled and how to raise a concern, look at the ICO’s “For The Public” page. That has lots of details, including how to make a Subject Access Request and links to specific situations from criminal records to the use of drones. Where necessary, those pages will all be updated when GDPR goes live on May 25th.
Will this really make a difference?
The ICO says:
“…it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.”
But the fact that huge penalties will be possible is causing many organisations to take GDPR very seriously.
If this means that firms are more careful with our information, they only hold what is actually needed, the nuisance of unwanted marketing is reduced and it’s easier to get problems resolved then GDPR will be a positive help to British consumers.