Why GDPR is a good thing for consumers

mobile phoneSara Williams explains how information handling is changing in May 2018, and looks at the benefits to consumers.

If you have been receiving a surprising number of emails or letters with titles such as ‘Updates to our terms and other policies’, or ‘Important information about our privacy policy and Ts&Cs’, you may be wondering why. And you may think that they sound either tedious or slightly worrying.  

These are being sent because the data protection rules are changing on 25 May 2018, when the General Data Protection Regulation (GDPR) comes into force.

GDPR is good news for UK consumers. You will have more rights to find out what information is held about you, how firms use it, and how to get it corrected or deleted if it is wrong.

What data is covered?

The new regulations apply to all personal information that is held by organisations, including government departments, local councils and commercial companies, such as Google and banks. It’s not just for large firms; it will also cover GPs, your child’s school and your local sports club.

You can usually only access your own data, but parents can access some information about their children. If you have lasting power of attorney for someone who can’t manage their own affairs, you have the right to access the data that you need to carry out your role.

Free access to your data

Before GDPR, firms have been allowed to charge customers to see a copy of their data, at a cost of £10, and take 40 days to supply it. But from 25 May, firms are not allowed to charge anything (unless you keep making repeat requests), and you have to be sent the information within a month.  

The Information Commissioner’s Office (ICO) has a page with a template letter on how to ask for your data, called a subject access request (SAR). Before you send off an SAR, it’s worth checking to see if there is a simple way to get the information that you need. For example, if you want your bank statements for just a few months, you can usually ask for those, not the large amount of paperwork that a full SAR would give you.

People are often reluctant to pay £10 when they are unsure what they will be sent, for example, if you want to see if your name is on fraud databases, because you are worried about identity theft. Being able to check without a charge will be a big improvement for consumers.

If there is a problem with your information

The ICO site offers lots of information about personal data situations. Some data is more sensitive than others.

If you would like to know how your data is being handled, or if you think it has been mishandled, or if you would like it corrected or deleted, you should first ask the organisation. If you aren’t happy with their response, you can then raise the issue with the ICO. There will potentially be large fines, up to £20 million (or more for the largest firms), if they mishandle your data, so organisations are taking GDPR very seriously. 

Organisations should correct data if it is wrong. Sometimes it’s not obvious who you should contact. For example, you may be concerned that something is wrong on your credit report, but the credit reference agencies only report information that they are given. So, if you think a default date is wrong, you need to ask the creditor to correct this, not the credit reference agency.

The Gazette’s privacy policy explains what you should do if you think a notice is inaccurate – this depends on whether you placed the notice, or if it was supplied by someone else. Many of the notices that The Gazette publishes are supplied by the Official Receiver, insolvency practitioners or Companies House.

In some cases you may be able to get old information deleted. GDPR calls this 'the right to erasure'; it is also known as 'the right to be forgotten'. Once GDPR comes in, an organisation has to explain why it is holding your personal data – if this is because you agreed to this, then you can withdraw your consent. So, for example, you can ask for your contact details to be deleted from a marketing database, which should be done promptly.

This right to have personal data deleted does not apply in all situations; the information may need to be retained for legal reasons, for example. Notices in The Gazette form part of the complete and official public record, so they are not removed, but the privacy policy explains the limited situations in which some information may be redacted so it can't be found.

More control over the emails and letters that you're sent

After GDPR, firms will only be able to send you emails and letters if you positively agree to this by ticking a box. No longer will:

  • you have to study the wording to see if you need to tick a box not to receive communications
  • online boxes be pre-checked so you have to uncheck them
  • a firm be able to add you to their mailing list if you only ask for a leaflet, or enter a competition

Also, your details can’t be passed on to third parties unless you tick another box to agree to this – a firm isn’t allowed to bury this somewhere in the small print. So making a donation to one charity shouldn’t then result in lots of begging letters from other charities.

If you haven’t given your active consent in the past, then a firm will need to either drop you from its mailing list, or ensure that you agree to remain on it. Hence the emails and letters that you may be getting of late.

About the author

Sara Williams is a debt advisor. She blogs about debt and credit rating news via Debt Camel.