The EU’s General Data Protection Regulation (GDPR) underpins the UK’s data protection regime. Under the GDPR, any organisation that handles personal information must use robust measures to keep this data safe. The more you know about the GDPR, the easier it is to hold organisations to account when they fail to protect your data rights.
The GDPR is an EU law on data protection and privacy. It establishes how your personal information can be used by organisations, businesses and the government.
Despite Brexit, all UK organisations must comply with the GDPR as the UK chose to implement its version of the law after the transition period ended (UK GDPR). In the UK, the Data Protection Act (DPA) 2018 is the UK’s interpretation of the GDPR.
Under GDPR, people have a right to be notified if their personal data is being used or stored. This includes why an organisation uses your data, how it is using it, what type/types of data it is using, how long the data will be kept, if it shares this data with any third parties, and more. A failure to provide this information could be a data protection breach.
Personal data includes can be used to identify a specific individual – either on its own or along with other information. This could be a name, email address, financial information or even an IP address.
You have the legal right to access any personal data an organisation holds on you. To exercise this right, you should ask for a copy of this data.
You can challenge the accuracy of any personal data that an organisation holds about you and ask for it to be corrected or added to. Organisations do not always have to agree to such requests (for example, a doctor does not have to change an individuals’ medical history if they believe a request is erroneous). But they must provide a legitimate reason if they do not so (and tell the data subject what that reason is).
GDPR gives you the right to have your personal data erased. This is also known as ‘the right to be forgotten’. The right is not absolute and only applies in certain circumstances.
You can restrict the way an organisation uses your personal data. This means you can limit the way that an organisation uses your data. This is an alternative to requesting the complete erasure of your data.
You have the right to get a copy of your personal data from an organisation. You might want this data to pass to another organisation, so it must be provided in a transferable way if possible.
In some circumstances, you can object to an organisation using your data at all. For example, you have the right to stop an organisation from using your data for email marketing.
Under GDPR, the processing of biometric data (such as images of a person’s face) and the use of automated decision-making, including profiling, are only allowed in very explicit circumstances. If an organisation uses technology that discriminates against individuals and automatically makes decisions that harm them, such technology would not be GDPR compliant.
To access many of your GDPR data rights, you need to make a data subject access request (DSAR/SAR). You do not have to pay to make a DSAR. However, if you ask for extra copies, or if you ask for something that is ‘manifestly unfounded or excessive’, the organisation might charge a reasonable fee for administrative costs.
Data protection law requires organisations to respond to a request for data within one calendar month. However, they might need extra time to consider your request and, if so, can take an additional two months to do this. The organisation must let you know within one month if it needs more time and why. If the requested information is not provided in the timeframe, you can raise a complaint with the ICO. A refusal to answer respond to such a request within the legal timeframe could be a GDPR breach.
You can make a subject access request at any time. For example, many of our clients at KP Law make DSARs to start the compensation claim process following a data breach. If you decide that you want to make a SAR, there are some steps you should take…
This should be listed on the organisation’s website (check the privacy policy usually found in the footer). If you can’t find this information, let the company know. If they don’t make it available, you can complain to the ICO.
Do you need everything an organisation has about you or just a specific piece of information? If you only need certain data and you want this quickly, it makes sense to be explicit. For example, you could ask if your data was exposed in a specific data breach.
You can make a SAR in writing, in person, or over the phone. However, we recommend that you put your request in writing. This provides a clear evidence trail if we need this at a later date.
When making a SAR, you should also include your name and contact details as well as any account or reference numbers.
Most organisations will provide what you need electronically, but if you want it in another format, you can ask if this is possible. An organisation only has to agree to this if it is reasonable to do so.
This will help if there are any delays or if they try to fob you off.
An organisation can refuse a request if they believe it to be ‘manifestly unfounded or excessive’. But, if you think your request has been rejected unjustly, you can raise a complaint with the organisation in question, and if you remain dissatisfied, the ICO.
When it comes to GDPR failures and abuses, most people think about data breaches.
A data breach refers to any situation where data has been put at risk. For example, when criminals break into an organisation’s systems to steal information, or more commonly, because of simple human error and poor data protection processes.
But GDPR violations are not just about data breaches. A GDPR failure can happen when companies fail to uphold any of your individual data rights.
At KP Law, our data protection team is committed to making sure that people across England & Wales understand their data protection rights. And, if your rights have been violated by an organisation breaching any part of the GDPR/Data Protection Act, we may be able to help you to claim compensation. For example, in addition to our various data breach group actions, we support clients who have experienced GDPR violations because of facial recognition software and algorithmic and automated decision-making processes.
When it comes to legal support, big organisations have deep pockets. And they are smarter and better resourced than ever before. So, it can be difficult for some law firms to stand up to such strength if they do not have data breach expertise or the resources to take the big players on.
At KP Law, we do not just even the score – we take the fight to them.
Our data breach team has the legal expertise and resources necessary to take on the corporate giants. What is more, the strength and means of our firm ensure that we never have to back down from a challenge. And with access to whatever resource we need – be that time to go the long-haul or the expertise to delve deep into the evidence – we have everything it takes to win.
TELL US ABOUT HOW A DATA BREACH OR CYBERCRIME HAS AFFECTED YOU. AND WE’LL TELL YOU HOW WE CAN HELP.
KP Law has some of the most skilled data breach lawyers in England and Wales. Here are just some of our success stories.
KP Law is a founding member of the Collective Redress Lawyers Association (CORLA). CORLA aims to improve access to justice for claimants by way of collective redress.
