104 OCTOBER 2019|COMPUTERSHOPPER|ISSUE 380
D
atabreaches arebecoming
increasingly bigger and more
severe,with ahost of companies
leaking your privatedatadue to lax security.
In 2018 alone, it wasestimated that five
billion personal recordswereleaked. It’sa
frustrating statistic, as youcan’t keep
everything privateand, at some point, you
havetointeract with companies that will
storeyour information digitally.
Fortunately,the EU’sGeneral Data
Protection Regulation (GDPR) came into
forcelast year.This wasdesigned to dish
out tougher penalties to companies that
don’t storedatasecurely,while giving us
morecontrol overour data.
As an example of howwell the GDPR is
working, the UK Information Commissioner’s
Office(ICO) saysthat it will fine BA arecord
£183m (1.5% of the company’sworldwide
turnoverin2017) after half amillion
customer recordswerestolen by hackers,
while the hotelgroup Marriott facesafine
of £99m foradatabreach.
Previously,the biggest fine
possible was£500,000. This was
imposed on Facebook forits part
in the Cambridge Analytica
scandal, which saw 87 million
recordsleaked. Under the GDPR,
the maximum fine canbe4%of
worldwide turnover, which is
enough to makecompanies stop
and take security seriously.
While the fines arefor law
makers to control, the GDPR also
gives younew rights overyour
data, which we’ll look at here.
Therighttobeinformed
Companies nowhavetotell
youwhat they’regoing to do
with your dataatthe pointof
collection, written in clear English.
Most importantly,companies need
consenttoprocess your data. Generally,
this is via youmanually consenting, which
requires an opt-in box, as opt-out boxes
arenow banned.
What’snew is that consenthas to be
granular,giving youthe option to allow
some processing but optout of others.
Forexample, youcould say yestobeing told
about updates to aproduct that you’ve
bought, but no to all other marketing.
Companies can’tjust assume that you’re
happywith everything anymore. And if
things change and acompanywants to
use your datafor adifferentpurpose, they
havetocome back and ask you.
Companies arenolonger allowedto
sharedatawithout your consent, either.
Beforethe GDPR came into effect, you
mighthaveclicked abox that said youwere
happytoshareyour datawith third-party
companies; post-GDPR, these companies
havetobenamed. The result should be
fewermarketing emails.
Thereare some exceptions to gaining
consent, known as alegitimateinterest.
Forexample, if youboughtacar that
needed to recalled, amanufacturer could
email youasyou’dneed to know. If there’s
alegal reason forprocessing data, then
consentisn’t required either.However, for
most cases, companies need your consent
and, if theydon’t haveit, they’reinbreach
of the GDPR and canbefined.
GDPR
Underthe GDPR law,companies face biggerfines fordatabreaches, and
youhavemorecontrol ofyourdata. Here’s whatyouneed to know
MAKINGAGDPRREQUEST
Dealing with the GDPR means
getting in touch with a
company. Many larger
companies already have
tools where you can
download your data,
including Facebook
(tinyurl.com/
380privacyfeature),
Apple (privacy.apple.
com), Google (myaccount.
google.com/dashboard)
and Microsoft (account.
microsoft.com/privacy). For other
companies, you’ll need to getin
touch directlytofind out where to
address your request.
If you think thatyour data is being
misused or processed unlawfully, then
your first portofcall should be with the
company. With the right to access your
data, you can find out whatthe company
holds on you, and the proof thatthe
companycan process your data.
For example, if you’re getting marketing
emails from acompanythatyou don’t
know, then you can ask forproof that
you should be receiving
the communications.
If there’s no proof
thatyour data should be
processed, then the
companyispotentiallyin
breach of the GDPR. At
this point, you should
inform themofthis, and
ask to be removed from
further data processing.
If you’re nothappy with the
response, you can make aformal
complainttothe ICO.
If the companybelieves thatithas a
legitimate right to process your data, it may
write back to you with the proof thatithas.
However, even with this, you can object to
your data being used.
If your data is being used fordirect
marketing, then your objection prevents all
further communications of this type. For
other types of processing, you can use the
right to restrict your data or the right to
erasure to preventfurther processing.
RIGHT:After the GDPR came into
effect, Waitrose letcustomers know
howitwas handling personal data
