Unless you’ve been ignoring your inbox over the past few weeks, you’ve probably been inundated with requests to update your ‘privacy’ or ‘marketing’ preferences, in preparation for the General Data Protection Regulation (GDPR) which will apply from Friday 25th May 2018. The Regulation brings huge changes to how organisations handle your data, and your rights as a ‘data subject’. Here, we look at some of the changes that are likely to affect you.
Whether you’re purchasing goods, using a business to provide services or simply visiting a website, the organisations you are dealing with will likely be collecting data about you.
If you’re just a website visitor, chances are that the data will be largely generic and anonymous. This helps the organisation understand how many people visit its website, what devices they are using to view the site, which content is most useful and so on.
If the website also collects your IP address, this is classed as ‘personal data’. Personal data is any data capable of identifying you as an individual.
If you complete a contact form, phone the organisation or email them, you may also provide other data such as your name, address, phone number and email address.
In the past, you might have accidentally consented to the organisation handling this data in intrusive ways. For example, organisations may have used confusing combinations of check boxes on their website contact forms where you had to check/uncheck the right combination to avoid being sent marketing emails. Others may have said that sending you marketing communications was a condition of using their services. The GDPR changes all of that.
From Friday, your consent to communications will need to be positive – that is, you’ll have to opt-in to receive marketing communications. This means checking a box on an online form or piece of paper, or positively consenting over the telephone. They cannot use your refusal of consent as a basis for not serving you.
If you already opted into communications in the past, the organisation may be able to rely on that consent to continue contacting you – but only if the consent was obtained in a GDPR-compliant way and the organisation can prove it. In reality, it probably wasn’t – which is why so many organisations are contacting you now.
Note that if you get a message asking you to opt in and you have never contacted the organisation before, this could land them in deep water. Last year the ICO fined Honda and Flybe a total of £83,000 for sending opt-in messages to people who they could not prove had ever consented to hear from them in the first place.
In the past, organisations have frequently lumped consent options together – for example, asking for consent to email you, then sending you everything from service-related emails and important updates to newsletters, special offers and so on. You may have also found that your data was shared with third parties without your knowledge, thanks to a clause buried deep in their website terms and conditions.
Now, organisations have to be very specific about how they are handling your data. They must consider:
This must all be set out in their Privacy Notice which needs to be accessible at the point where they take your data. If you’re making contact through their website, chances are there will be a link to the Privacy Notice on the contact form. If you’re contacting them via telephone, they may let you know where you can find their Privacy Notice (for example, on their website). This saves you the annoyance of having to sit through a lengthy recital.
Under the new Regulation, your data must be collected for “specified, explicit and legitimate purposes” and “not further processed in a manner that is incompatible with those purposes”. Consequently, you’ll probably see a lot more boxes on website contact forms going forward, with organisations asking for consent to different types of communication.
We’ve all heard those messages at the start of phone calls ‘Your call will be recorded for quality and training purposes’ – but for most organisations, they’ll need to change.
As a result of the GDPR, organisations will now need to ask your consent to record calls, and must stop recording/delete the recording if consent is not obtained. There are a few exceptions – for example where the recording is necessary for the fulfilment of a contract with you, or necessary to fulfill a legal requirement.
Some organisations intend to rely on what the Regulation calls ‘legitimate interests’ as a basis for using your data – typically where you have already purchased a product or service from them. This means they will not necessarily contact you to ask you to opt in to future marketing.
They will be permitted to rely on legitimate interests for marketing activities if they can show that how they use people’s data is “proportionate, has a minimal privacy impact, and people would not be surprised or likely to object” to the communications. Further, they will have to conduct a balancing test to establish whether their interests outweigh yours. The test has to be documented for future reference.
In addition, if they intend to send you marketing messages via email, they will need to consider existing Data Protection legislation such as the Privacy and Electronic Communications Regulations (PECR) which sits alongside the Data Protection Act and the GDPR.
The rules on electronic mail marketing are in Regulation 22 of the PECR. In short, organisations must not send electronic mail marketing to individuals, unless:
If therefore the organisation did not give you a simple way to opt out of marketing communications when they first collected your data (for example, on a website contact form or order form), or did not give you this option in future emails, they will not be able to rely on ‘legitimate interests’ and must get your specific, granular consent to future marketing communications. If they do not, they will be in breach of the GDPR.
In many cases, you may want the organisation to continue handling your data – for example, if you have a contract with them.
However, sometimes you may find that an organisation continues to send you messages long after you’ve lost interest in their services. All organisations will also have to provide you with the option to opt out of all future communications. This information will be contained in their ‘Privacy Notice’. If you contact them and request that they stop processing your personal data, they will have to respect this.
You can of course ask an organisation to stop processing your data for the purpose of direct marketing, without affecting any contract they may have with you. They are not permitted under the GDPR to make marketing emails compulsory when you use their services.
The GDPR introduces a new right for you to ask organisations for data in a machine readable format, allowing you to use it for various purposes. This could be useful for example in helping you to secure a better energy deal.
The GDPR gives you the right to object to automated decisions being made about you where the decision has a significant effect on you. This might be, for example, where you have applied for a loan and the organisation uses an algorithm to accept or reject your application. You can ask a human to review the decision, although this is no guarantee that the outcome will be the one you want!
Under the GDPR if there is a serious breach of your data, organisations must tell you what has happened in clear terms. They must also report the breach to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of it. If the organisation reports to the ICO but does not inform you of the breach, the ICO can compel them to inform you. You may be able to claim compensation in certain circumstances.
It has been no secret that the ICO will have powers to fine those breaching the new rules severely – up to €20m or 4% of their annual global revenue, whichever is higher.
In practice, most people think it unlikely that the ICO will use the powers to their full extent and fines are expected to be on a par with those currently being issued. Under current rules the highest fine possible for a serious data breach is £500,000.
Previously, you’ll probably know that you had the right to ask an organisation for a copy of the data they hold about you. However, organisations were allowed to charge a fee for providing this information, and could take up to 40 days to respond. Under the GDPR, ‘subject access requests’ will be free and must be processed within a month. But why would you want to make one?
One possible reason is if you think that an organisation is not processing your data lawfully.
Where your request to the organisation is complex, they will be able to extend the one month period to three months. However, they will have to let you know within a month of your request if they intend to do this.
If you make a request that is excessive or unfounded, the organisation has a right to charge you a fee, or to refuse to action the request.
Our own Data Protection Policy and Privacy Notice sets out how we collect, use, store and share your data, together with an outline of your rights. You can view the Policy and Notice here. We are keen to be as transparent as possible and our Policy/Notice is written in plain English rather than legal jargon for that very reason. However, if you do have any questions at all, please don’t hesitate to contact us.
If you’ve received our newsletter in the past but you didn’t spot our recent email opt-in request, it’s possible you won’t receive our newsletters from now on. However, it’s really easy to sign up – just click here and complete the form. Remember, you can unsubscribe at any time by simply clicking the link at the bottom of any Newsletter edition.