Most consumers are likely to be aware of the Data Protection Act 1998 and of the protections it provides them, including that companies must not share their personal data without their consent.
However, not all consumers will be aware of the new data protection law that the EU has approved; the General Data Protection Regulation (‘GDPR’). The GDPR will apply to all Member States from 25 May 2018 and will replace the current data protection laws.
What are the key changes for consumers?
- Clear information: Fairness and transparency of processing requires more extensive information to be given to individuals, including their right to withdraw consent and to object to direct marketing. Data controllers must also implement data protection policies, which will need to be transparent and easily accessible.
- Copies of information: Currently organisations can charge individuals up to £10 for responding to a data subject access request. Under the GDPR information must be given to individuals free of charge. However ‘reasonable fees’ may be charged if the request is excessive. If the request is made in electronic form, the information should be provided in a commonly used electronic form (unless the individual consumer requests otherwise).
- Right to be forgotten: Individuals can require data to be ‘erased’ when there is a problem with the underlying legality of the processing or in circumstances where the individual consumer withdraws consent.
- Stricter consent: Companies must be sure that they have obtained consumers’ consent correctly. The GDPR states that consent to data processing must be “freely given, specific, informed and unambiguous…”
- Data Portability: According to Europa, the GDPR is designed to make data protection laws “fit for the digital age”. This intention can be seen in the right of data portability which requires companies controlling an individual’s personal data to provide information in a structured, commonly used and machine readable form.
- Wider territorial scope: The GDPR applies to organisations based outside of the EU who target EU customers, even if that entity has no EU presence.
The UK is unlikely to have exited the EU by 25 May 2018 so this new law will apply in UK from this date until the UK leaves the EU. Even post Brexit the GDPR will still apply to consumers based in the EU because of the wider territorial scope of the GDPR. In the UK post Brexit we expect that similar provisions to the GDPR will be bought into UK law too.
Organisations should be considering how to comply to ensure that they protect consumers, especially as the GDPR brings even bigger fines for non-compliance.
This note is provided by Kirsty Farmer from Shoosmiths Data Protection Team. For any questions please contact Anastasia Fowle (firstname.lastname@example.org) - Partner, Head of Data Protection, Intellectual Property and Creative Industries.
This document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given.