90 seconds on GDPR: what does it mean for you?

You will likely have heard of “GDPR” – the General Data Protection Regulation – which comes into force on 25 May 2018 and replaces the Data Protection Act 1998.  However, most of the available content covers what businesses need to do to be compliant before the deadline. This is a summary of what GDPR means for you, as an individual.

GDPR will strengthen and add to the existing rights that you have in respect of your personal data and how it is processed by, or on behalf of, “data controllers”. Subject to specific exemptions and conditions in each case, you will have:

1. The right to be informed – you need to be told who the data controller is, why your data is being processed, on what legal basis, to whom and where it may be sent, and what your rights are.  This is likely all to be found in a privacy policy. Transparency is key.
2. The right of access – this allows you to obtain confirmation that your data is being processed and be given a copy of it, free of charge.
3. The right to rectification – if personal data about you is incomplete or inaccurate, you can require this to be rectified.
4. The right to erasure, or the “right to be forgotten” –  if your personal data is no longer required for the purpose it was collected for, or if you have withdrawn your consent or objected to your data being processed, you can demand that the data controller deletes it.
5. The right to restrict processing – you can restrict processing of your data when you claim that it is unlawful or contest the accuracy of your data, or in some other limited circumstances.
6. The right to data portability – you can require a copy of your personal data or transmit your data to another “data controller”.  This is to give you greater control, for example, to switch service providers.
7. The right to object – you can object to the processing of your personal data for direct marketing, scientific or historical research or statistical purposes, or profiling.  If you do, the data controller must stop it. The most obvious example is an e-mail “unsubscribe” link.
8. Rights in relation to automated decision-making and profiling – you can object to this where the decisions or profiling have legal or other significant effects on you.
9. The right to be notified of a data breach – if a breach is likely to result in a high risk to your rights, you have to be told about the breach.

If you are not happy with how your data is being processed, contact the organisation’s Data Protection Officer.  Failing resolution of your complaint, contact the Information Commissioner’s Office.