New rules give consumers more insight about personal data

By Marianne Curphey

When you give your payment card details or personal information to a merchant or service provider, you currently have little control over how your data is stored or what happens to it after you've given it.

However, under new rules, companies must be a lot more transparent with how they want to use your data, and get your permission to use it. They must also adhere to new rules regarding protection from -- and following -- data breaches. There are heavy fines for merchants who don't follow the rules - penalties of up to £17m, or up to 4% of global turnover can be levied. new-eu-rules

The new legislation is a "game changer" and a huge boost for consumer rights, according to John Greenwood, a fraud prevention expert and marketing director of Compliance3, a consultancy that helps eradicate payment card and personal data fraud in business contact centres.

The rules, known as the European General Data Protection Regulation (GDPR), were first proposed in 2012, but it took four years for the European Parliament to agree on them. The regulation became law as of 25 May, 2016, but won't be enforced -- that is, no repercussions will happen -- until 25 May, 2018, giving countries time to incorporate it into their national laws. Despite the 2018 enforcement deadline, best practice is for merchants to start adhering to the rules this year, experts say.

Expect more transparency about your data
As part of the rule changes, companies have to report data breaches to their national Data Protection Authority (DPA) within 72 hours. In the UK, the national DPA is the Information Commissioner's Office. Businesses must also name a data protection officer, and have a plan in place for avoiding a breach and handling one if it happens.

"The data protection regulations apply to all consumers and to all companies that do business with customers based in the EU," Greenwood says. "The new legislation gives rights back to the individual -- businesses do not own data, the individual does."

One of the biggest changes is that businesses can only use your data once they have express written permission from you, Greenwood says. When the new rules come into force:

  • Companies can only contact you if you have given them permission to do so. This permission only lasts for six months, after which they are not allowed to contact you again.
  • This does not apply if you have signed a contract -- for example, if you have given your insurance company permission to contact you again when your policy is up for renewal.
  • Personal data will be treated as something valuable, the same as a business's physical goods.
  • UK companies will need to include a request for permission to use personal data, at the point of sale. Failure to do so will be punished by law. This applies to all companies collecting and storing data on individuals, but will likely be most vital for online contracts and transactions.

Greenwood says under the new rules, companies will have to be accurate and explicit about what they do with customer data, and they'll need to be able to present this information to their customers on demand.

He says the rules do still apply, despite the Brexit decision in June 2016.

"Europe is a single trading entity and if we are going to trade with Europe, then Britain won't be allowed to operate under completely separate data rules," he says. "British companies have got to get used to this and prepare for this, which is not an insignificant task."

The new rules make for some big changes
All this will mean a massive change for the direct marketing industry in Britain. At present, companies can buy your data and cold-call you with products for sale.

"For at least 25 years, Britain has fought Europe on its data protection rules," Greenwood says. "Customers will, in the future, have the right to be forgotten and they can ask for their data to be removed from the company's database -- and the company has to provide evidence that they have done this."

If you feel a company isn't complying with the regulations, you can complain to the Information Commissioner's Office, which will tell you whether you have a basis for making a claim. There is a standard letter template available to help consumers make a formal complaint. 

Some key changes:
1. "The right to be forgotten"
When you no longer want your data to be processed and there are no legitimate grounds for retaining it, the data will be deleted at your request. This enables someone to require, without delay, the deletion of personal data collected or published on a social network when the individual was still a child. This applies to adults, too, but the new rules have a particular focus on the rights of minors.

2. Easier access to your personal data.
You will be able to find out what information is held about you, and where it's stored. Companies must be able to provide this promptly.

3. Granting permission to use your data.
When your consent is required, companies must ask you to give it by means of a clear affirmative action. This means it cannot be disguised in terms and conditions.

4. Transparency regarding your data.
Companies must be transparent about how your data is handled, with easy-to-understand information, especially for children. This includes informing individuals about their privacy policy in clear and plain language.

5. Transparency regarding data breaches.
Businesses and organisations will need to inform you about data breaches that could adversely affect you without undue delay. They must also notify the relevant data protection supervisory authority.

6. More protection for minors.
If someone younger than 16 wishes to use online services, the service provider has to try to verify that parental consent has been given. Member states may lower this age ceiling, but it cannot be lower than 13 years of age.

7. Granting permission to be contacted.
If companies want to contact you in the future you must have given them permission to do so.

See related: Tough new EU rules aim to ramp up data breach protection, What to do if your data is part of a major breach

Updated: 8 August 2017