You may have heard about the General Data Protection Regulations which have just become law but may not have any idea what it means for regular people. You’re not alone. To fully explain GDPR would take more space than I have here, but I hope to give you an idea of how it affects you.
The reasoning behind GDPR is that businesses have been playing fast and loose with our personal information, without too much in the way of risk to themselves. For large companies, a fine of £500,000 isn’t really a deterrent. £17m or 4% of annual turnover, whichever is higher, hurts a bit more.
But it’s not just about what happens when things go wrong. GDPR also gives the little man the right to know what information a company is holding about them, how long they intend to hold it, what justification they have to do so and the right to have the information completely destroyed.
If there is a valid legal reason, such as part of a contract, then there is no right to be forgotten. But otherwise companies have to comply with removal requests within a reasonable timescale and can be reported to the Information Commissioners Office, who have much more power now, if they don’t.
Companies also have to publicly publish how they deal with your personal information and how long they intend to hold on to it. They also have to say how individuals can contact them with queries or requests specifically relating to personal data.
These details are commonly linked to on company websites, so look for links to things like Personal Data Protection Policy, Data Retention Policy or Data Privacy Notice at the bottom of website pages, or in their legal sections.
Most importantly, they cannot keep your information without your consent if they have no other reason to keep it. There is something called ‘Legitimate Interest’ as well as legal contracts which allow data retention, but companies can only use your data for the use they are claiming legitimate interest. They can’t for instance add you to their email list as well if they don’t have your explicit consent to do so.
Companies have to renew any consent you give on a regular basis and if they ask you, and you don’t reply, they have to remove you from their records. See www.ico.org.uk for more information.