GDPR explained: What do the endless privacy policy emails mean for you?

Changes to data protection laws being introduced on 25 May will give consumers greater control over businesses' right to retain their personal information

Joe Sommerlad
Friday 25 May 2018 10:42 BST
Comments
The perfect way to start an email will depend on who you're writing to
The perfect way to start an email will depend on who you're writing to (Shutterstock)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

If you're currently being inundated with emails from companies about updates to their privacy policies, this is why: a new General Data Protection Regulation (GDPR) law comes into effect on 25 May after being passed by the European Parliament in April 2016.

The legislation is intended to give the consumer greater control over the way in which companies collect and use their personal data, replacing old rules introduced in 1995 no longer fit for purpose given the subsequent growth of the digital economy. UK information commissioner Elizabeth Denham has suggested GDPR is a "step change" and a case of evolution rather than revolution.

Under the new regulations, which will apply even after Brexit after being enshrined in the UK's forthcoming Data Protection Bill, businesses will be required to actively secure permission before making use of customers' names, email addresses, phone numbers or web browsing habits (traced by a website's cookies).

Firms will now be obliged to report any data breaches or cyberattacks within 72 hours of their becoming aware of it.

Your inbox is no doubt currently being flooded with emails from companies you have previously bought something from online, sites you have registered with or those you agreed to receive promotional material from, having been added to their mailing lists when you did so.

Consent given prior to the introduction of GDPR regarding a company's right to retain and "process" your data is no longer sufficient without proof that you opted in, hence their approaching you now to ensure your approval.

In return, you will be able to request a copy of all the data a business holds on you within 30 days and even ask for it to be deleted under "right to be forgotten" laws, a potential admin headache for small enterprises but a win for online privacy advocates. Presently, businesses charge £10 to process a Subject Access Request, a fee that will now be scrapped.

GDPR will even apply to sole traders such as handymen and a failure to comply will result in fines decided by the UK Information Commissioner's Office (ICO).

Minor offences could hypothetically result in fines of £8.8m or 2 per cent of a firm's turnover, more serious breaches up to £17.5m or 4 per cent of turnover. A huge increase on the current maximum penalty of £500,000. Ms Denham, however, insists the ICO prefers "the carrot to the stick" and lesser contraventions are unlikely to be penalised so heavily.

The ICO has prepared a 12-step guide for businesses to help them ensure they comply, which you can access here.

If you're really keen, you can read the full GDPR regulation here. All 88 pages and 99 articles of it.

The introduction is timely given the growing awareness of privacy concerns in light of the Cambridge Analytica scandal, in which the start-up harvested data from the Facebook profiles of 50 million Americans and passed it on to Republican political pollsters for use in the micro-targeting of swing voters during the 2016 US election.

Significant data breaches suffered by the likes of Yahoo! and LinkedIn over the last year have also underlined the need for greater corporate responsibility when it comes to individuals' private information.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in