With ever-changing and improving technologies, data sharing has become something we do every day, and this means data protection is becoming more and more important. This is why new legislation, known as the General Data Protection Regulation (GDPR), was enforced on the 25th May.
But what exactly does this mean for you as a customer?
GDPR is designed to replace and modernise the current Data Protection Act. This new regulation builds on principles already in place and specifically aims to give individuals more control over their personal information and make organisations more accountable for how they collect, use, store and share personal information. Personal information is any information that can be used to identify you either on its own or together with other information for example your name and address.
There are two main reasons why GDPR has been developed.
There are different data protection laws across Europe, because each country developed its own standards and rules. The introduction of GDPR means that data protection is further standardised, so that you can expect the same rules and the same level of protection wherever your personal information is processed. This also makes it easier for companies to manage your information, as the same rules apply regardless of where they operate.
The use of technology and the volume of personal information collected, processed and shared has risen dramatically over the last few years, and with it the risk of our personal information being misused has increased. Examples of high profile incidents involving personal information have recently been seen in the telecoms and social media sectors.
GDPR identifies a number of safeguards which organisations have to put in place to protect personal information, and gives you enhanced and new rights regarding how your personal information is collected, used, stored and shared.
For anyone who is questioning how EU law like GDPR operates post-Brexit, it was announced last year that a new Data Protection Bill will in effect implement the GDPR and will reiterate the UK’s commitment to the privacy principles enshrined in the EU regulation. The Bill will result in a new Data Protection Act replacing the 1998 Act. And as and when the UK leaves the EU the new Data Protection Act will replace the GDPR.
GDPR aims to protect all the personal information which an organisation collects, uses, stores and shares about you. Personal information is any information that can be used to directly or indirectly identify you as an individual. Previously this was limited to information such as your name, address history, phone number etc., but in a world where technology is developing at a fast pace the regulation has widened what is meant by personal information to include such things as IP addresses and social media profiles.
Whilst organisations including Yorkshire Building Society and its Group (YBSG) are working hard to make sure they comply with the regulation, as a consumer you don’t have to do anything in particular. You might start seeing subtle changes in how organisation interact with you such as cookie warnings displayed on websites, clearer check boxes when asked to sign up to newsletters and promotions, and more easily accessible information detailing how an organisation collects, uses, stores and shares your personal information.
This gives you the right to know who is responsible for safeguarding your personal information and how the organisation collects, uses, stores and shares your personal information. All organisations must clearly say who the data controller is when handling your personal information.
This allows you to request a copy of the personal information which an organisation holds about you. Prior to GDPR, many organisations charged a fee when dealing with these requests. This is no longer allowed for the majority of requests made. Companies must also provide a response to the customer within 30 days and provide it in an electronic format where possible.
If any of your personal information is incorrect or incomplete you have the right to ask to have this information corrected.
This means that you have the right to request that an organisation deletes any personal information it holds about you. There may be compliance or legal reasons which prevent an organisation from fulfilling requests made under this right.
If you feel an organisation is using your personal information incorrectly you can prevent it being used for certain purposes.
This gives you the right to obtain and reuse personal information you have provided for your own purposes across different services. Organisations must provide you with information you have requested in a machine readable format.
You have the right to request that organisations stop some specific uses of your personal information, for example if you don’t which to receive direct marketing.
You have the right to appeal against any computer-only generated decisions about you.
All organisations must make it clear that if you are unhappy with a response received about a complaint you have made regarding your rights, you can escalate this to the ICO.
To comply with the GDPR, YBSG has carried out the following: