With cyber attacks and security breaches prominent in our minds following a series of attacks over the course of the last few months, most noteworthy of course being the attack against the NHS involving masses of personal data being held to ransom. As a result, perhaps now more than ever we are considering who holds data about us, and exactly what data they hold.
At present, Data Protection is governed by the Data Protection Act 1998 (‘DPA’) but this is due to be replaced by the General Data Protection Regulation (‘GDPR’) which comes into force on 25 May 2018. This new piece of legislation promises to provide greater protection to individuals and greater sanctions for companies breaching Data Protection laws; including fines of up to 4% of annual worldwide turnover.
One of the key changes the GDPR brings is the fact that silence, pre-ticked boxes or inactivity, will no longer constitute consent. Consent is already required from the data subject before data controllers are able to process the data, however this important change should now see a reduction in the ways in which you can unintentionally give consent and therein allow data controllers to process your personal data.
The GDPR also seeks to provide greater security surrounding children’s data, and sets an age threshold that requires data controllers to obtain consent from the child’s parent when processing data to provide ‘information society services’.
Furthermore, individuals will now have greater control as to how their data is used. For example, the data subject can object to their data being processed via automation, seeing an end to those automated cold calls that have become part of day to day life for so many.
Additionally, the scope of the data subject rights provided for under the DPA, have been widened by the GDPR. An individual will still be able to enforce their subject access rights, rectification rights and objection rights regarding marketing, as well as having the right to restrict the purposes for which the data is being processed, and having the right to now transfer data to another data controller.
Importantly, and perhaps the most crucial of all given the vast remits of data being collected on a day to day basis completely unknowingly - individuals now have the right to be forgotten. This means individuals can request at any time that a controller deletes any personal data relating to them and can therein ensure it is no longer processed. Data subjects can request this where;
- The data is no longer necessary in relation to the purposes for which it is processed;
- The data subject has withdrawn their consent;
- The data subject objects to the processing of their data;
- The processing does not comply with the GDPR.
This wide remit gives individuals greater protection, providing them with the ability to be very selective over what data is being held by companies and their wider groups. A welcome change given the severity of the damage caused from ever increasing cyber-attacks.