What do new data regulations mean for you? 

The EU General Data Protection Regulation, or GDPR as it’s commonly referred to, is one of the biggest changes in recent times to our UK data privacy laws. It comes into effect on 25th May 2018, and replaces the current 1998 Data Protection Act which was passed when the internet was in its infancy. 

After more than three years of discussion the GDPR requirements have been agreed. The main aim is to give you (the customer) more control over your personal data. It also includes stricter rules for companies on how they handle and manage your data. 

Why has GDPR been introduced?

Data protection laws across the European Union (EU) have been considered as a benchmark globally. However, since the Data Protection Act was written back in 1998 the digital world has changed almost beyond recognition. Technology has changed the way we live our lives in a way no one could have predicted and so a review of the rules was needed.

The GDPR is now recognised as law across the EU and adopted in 2016 with an agreement that all Member States have two years to ensure that it is fully implemented in their countries by May 2018.

Do you have any new rights under GDPR?

A number of customer rights have evolved as a result of this new regulation. These include those listed below:

  • You can ask companies to provide you with the personal data that they hold about you - this is called a Data Subject Access Request (DSAR). You can make a DSAR by contacting the company concerned. Their contact details can usually be found in their Privacy Policy. 
  • You have the right to be forgotten. You will be able to request that a company deletes your data if there is no legitimate reason for them to keep it. However, if there is a legitimate reason to keep your data (for example, to manage your policy or account) they have the right to refuse this request.
  • You can ask a company to correct any data they hold about you which is incorrect. If after reviewing your data you believe something is not right, you can contact the company concerned and ask them to rectify this.
  • You can ask a company to provide your data in a machine readable format or to send your data to another company. If you want to transfer your business to another provider you can contact your current provider and ask for your data to be provided as outlined above. This will usually be provided in an electronic format.
  • You have the right to ask a company to review a decision which they have made about you if the decision was made by automated means. If you don’t agree with a decision which has been made concerning your business with a company, you have the right to ask that company to review it.

How does this affect my data?

Under GDPR data must only be kept for the minimum period necessary for the purpose it is being held for. This period is different depending on the nature of the company’s business and how they use the data. They will however, have to outline this retention period within their Privacy Policy which can usually be found on their website.

Companies will also have an obligation to ensure that all data they collect and hold is accurate.

Are there any other rights under GDPR?

Yes there are. These fall under the following categories:

Marketing

You may not want to miss out on offers and information from your company however you do have the right to choose whether or not you want to receive marketing material from a company. You also have the right to change this choice at any time. In addition to this, if you made your selection online you should be given the option to change it in the same way. This means that however you make your selections regarding your marketing permissions you will be able to update them in a similar manner.

Market research

You have the right to object to some uses of your data which are not essential for the service being provided, such as use of your data for market research. If you don’t want a company to use your data in this way you should contact them and ask to be removed from this type of activity.

Research

Companies will need to make sure that they have explained to you all the purposes for which your data may be used, including in areas such as research. Research however can benefit you, the customer, in a number of ways such as by providing more personalised policies.

What about data breaches?

Under the GDPR there is a requirement for companies to report any personal data breach not later than 72 hours after becoming aware of it. Any breaches will be reported to the Information Commissioner’s Office (ICO) who also have the power to issue fines to companies if they are found to be in breach of any GDPR requirements or the timescales for reporting a breach are not met.

What are Budget Insurance doing for GDPR?

Budget Insurance take your data and your rights very seriously. They are reviewing and adapting all their processes, where necessary, in line with GDPR requirements to ensure they are compliant by 25th May.

They are updating their Privacy Policy to ensure that all customers have clear guidance as to what their rights are and how to exercise them. In addition to this all their staff are receiving training to ensure they are up to date with the new regulations.

What are the consequences of not being GDPR compliant by 25 May 2018?

There are some severe penalties which the Information Commissioner’s Office (ICO) can impose on companies who fail to meet certain elements of GDPR requirements. Penalties for more serious breaches are considerable and can result in companies being fined up to €20M or up to 4 per cent of total global revenue of the preceding year, whichever is greater. Other breaches can incur penalties up to €10M or up to 2 per cent of total global revenue of the preceding year, whichever is greater. These fines have been implemented to show just how important it is that the GDPR requirements are met.

However, it isn’t just about fines, there is also the possibility of considerable damage to the brand’s reputation. In a recent case Facebook’s shares fell by nearly 7%, wiping $37bn (£26bn) off the company’s value, after concerns over data privacy in the UK and the US. The social network faced criticism after reports that political consulting firm Cambridge Analytica gained improper access to data on 50m Facebook users, and Facebook’s subsequent failure to disclose the breach.

Let your friends know...