Your rights and GDPR 4 years on
As we near the fourth anniversary of GDPR, we ask what it is, and has it done what it was supposed to do? Are we better protected now or has the introduction of the GDPR been a damp squib? Despite GDPR, should we take precautions to prevent data loss?
Wed 25 May 2022
What is the GDPR in simple terms?
GDPR stands for General Data Protection Regulation. It’s a European Union (EU) law that came into effect on 25 May 2018. GDPR governs how we can use, process, and store personal data (information about an identifiable, living person). Essentially, it regulates the processing of personal data and its free movement. In simple terms, GDPR aims to make it simpler for people to control how companies use their details.
GDPR replaced previous data protection rules across Europe that were almost two decades old, with some of the first being drafted in the 1990s. Since then, our data-heavy lifestyles have emerged, with people routinely sharing their personal information freely online.
GDPR was also created to alter how businesses and other organisations handle the information of those that interact with them. There's the potential for large fines and reputational damage for those found in breach of the rules. Companies are not allowed to collect or use personal information without the person's consent. Data includes things like a person's name, email address and phone number, and internet browsing habits collected by website cookies. Firms must also report any data breaches, including cyber-attacks and accidental leaks, to authorities within 72 hours.
GDPR can be considered the world's strongest set of data protection rules, which enhance how people can access information about them and places limits on what organisations can do with personal data.
It applies to all companies that collect data in the UK including after Brexit as the government enshrined the same rules in UK law.
Privacy campaigners have hailed the regulation as a step forward for online rights, but some small firms have been unhappy about the administrative burden of complying with the law.
What are your rights under GDPR?
In summary, your full GDPR rights are: -
● You have the right to be informed about the collection and the use of your data
● You have the right to access your data and any supplementary information
● You have the right to have inaccurate personal data rectified or completed if it is incorrect or incomplete.
● You also have the right to data portability, the right not to be subject to a decision based solely on automated processing.
● Finally, you also have the right to erasure (to be forgotten) in certain circumstances
Do individuals have to comply with GDPR?
Yes, the GDPR does apply to individuals. If you process or collect the data of EU residents, you're required to comply with the GDPR, regardless of whether you're a business, organisation, or individual.
Can my employer give out my personal information without my consent?
Generally, sensitive data cannot be processed without the data subject's explicit consent, but employers can process sensitive data where necessary to carry out an employment contract or to fulfil collective agreement obligations.
Has GDPR worked?
Many argue that the passing of GDPR has directly impacted data privacy and security standards while also indirectly encouraging organisations to develop and improve their cybersecurity measures, limiting the risks of any potential data breach.
So, on the surface, it looks to have succeeded. However, our research has revealed that the data rights enshrined in GDPR are being 'worked around' and in many cases, ignored. Indeed, this widespread lack of compliance with the legislation itself has fostered a landscape in which poor data use and sharing practices have become endemic.
Thousands of companies today have your data without you knowing it. Some will sell it; others will make money from it. Lots of them will lose it or get hacked this year.
Our research conducted this year with 1,500 British consumers reveals that 54% of them are confused by their data rights. Three quarters are most concerned about losing control of financial information and 14% about family details. And with good reason: personal data is continuously lost through breaches, mismanaged by careless organisations, and exploited by unscrupulous data brokers, who disguise themselves as ‘marketing service providers’.
Rightly Protect directly combats these issues, aiming to address the root cause by reducing the instances consumers' data is leaked by companies holding it. To achieve this, Rightly Protect utilises consumer data rights under GDPR and helps users automatically detect the countless organisations that hold their data. This empowers consumers to take informed action to ask those they no longer use, nor want to hold their data, to remove it.
What to do if you think you have been the subject of a GDPR breach?
If a breach is likely to result in a high risk to the rights and freedoms of individuals, the UK GDPR says companies must inform those concerned directly and without undue delay. In other words, they should take place as soon as possible.
If you think your data has been breached there are seven simple steps you can take to prevent further loss:
● change your passwords
● sign up for two-factor authentication
● check the company who has exposed you for updates
● watch your accounts and credit alerts
● consider identity theft services
● freeze your credit
● and finally go to IdentityTheft.gov
You can also find out more about keeping your data safe in a previous blog.
What is the future of GDPR (the Data reform bill)?
Plans for a new UK data protection regime have been confirmed in the Queen's Speech on 10 May 2022.
Presented to Parliament by HRH Prince Charles, the speech included a brief reference to the Government’s earlier proposals to develop an alternative to GDPR with its new Data Reform Bill.
The Government has indicated a desire for a more flexible approach that does not rely on what it has described as the "box-ticking" of GDPR.
Proposals for public services included a clarification of what health data public and private bodies could lawfully process and improve cross-sector working on operations relevant to national security.
The published background notes to the speech provide little detail on the future bill, but say its purpose is to create a new trusted data protection framework that reduces burdens on businesses and supports scientific innovation, and increase industry participation in smart data schemes to give citizens more control of their data.
One of the intended benefits is to support the effective use of data in public healthcare, security, and government services.
We will keep an eye on what the Government does with data protection and your rights to controlling your own data. In the meantime remember to keep your digital footprint light and get all the data that companies have on you that they don’t need, deleted. Rightly Protect can help you with that and make requests to as many companies as you like in a single click and for free.