Have you ever thought about how many organisations have your personal data? I stopped counting when I got to 30 and these were just the organisations I deal with on a regular basis. If I included all the customers and suppliers I deal with the number easily exceeds 100. So how do you ensure your information is being used only for the purpose you intended and that the organisation is taking care of your information responsibly?
A new set of regulations, the General Data Protection Regulations (GDPR), due to be introduced next May is aiming to do just that. These regulations are a comprehensive reform of the EU’s 1995 data protection regulation and the UK’s Data Protection Act (DPA), and have been developed to strengthen and unify online privacy rights and data protection for individuals within the EU. Despite Brexit, the UK will be adopting the regulations.
In this and subsequent articles we will review the benefits these new regulations provide to individuals as well as the implications for organisations that manage your personal data.
What is personal data?
The regulations are all about protecting an individual’s privacy, rights and people – and so data which is personal. The GDPR’s definition of “personal data” is extensive and includes a person’s physical, physiological, mental, economic, cultural, on line or social identity. This broad definition of personal data easily covers the simplest records that relate, even indirectly, to customers, clients, staff, pupils and any other record relating to an individual.
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a person, data concerning health or data concerning a natural person’s sex life or sexual orientation is specifically called out with special provisions.
There are child-specific provisions in the GDPR, particularly in relation to grounds for processing and notices. Children are identified as “vulnerable individuals” and deserving of “specific protection” with ability to add additional restrictions and precautions.
Understanding your rights
The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the DPA. The intention is to protect the rights and freedoms of individuals and to protect them from personal data processing which could lead to damage and in particular where processing may give rise to discrimination, identity theft or fraud, financial loss, damage to your reputation or the loss of confidentiality.
The GDPR provides the following rights for individuals:
- The right to be informed: Organisations will need to get your clear and unambiguous consent to process your personal data and they must be very clear on what they are proposing to do with it. You also have the right to easily withdraw your consent.
- The right of access: you will have the right to obtain confirmation that your data is being processed, have access to your personal data; and other supplementary information. Reasonable requests for access to your personal information will be at no charge and organisations will need to provide the information within a month;
- The right to rectification: You will have the right to request that inaccurate or incomplete records are corrected;
- The right to erasure (the right to be forgotten): You will have the right to request that organisations delete your personal data in certain circumstances;
- The right to restrict processing: You will be able to object to your personal data being “processed”, in certain circumstances such as for the purpose of direct marketing, including profiling;
- The right to data portability: You will have the right to request a copy of your personal data in digital format in a safe and secure way and give to it to another organisation if you wish. The intention is to make it easier to switch providers.
- The right to object: You have the right to object to processing of your personal data but you must have valid and acceptable reasons for doing so.
- Rights related to automated decision making and profiling: You have the right not to be subject to a decision when it is based on automated processing; and it produces a legal effect or a similarly significant effect on you.
The regulations go even further than just specifying these rights and impose a whole raft of obligations on the controllers and processors of your personal data whatever their size. In our next post, we’ll look at what these obligations are and the significant penalties for infringements.