The Data Protection Act GDPR 2018 Act, what are my rights?
The General Data Protection Regulation, commonly known as the GDPR Act, came into force on May the 25th 2018.
What is personal data?
Personal data is information that relates to natural persons where they can be identified or an identifiable individual.
Identifying an individual could be something as simple as a name/ telephone number/ address or could include other identifiers such as an IP address or a cookie identifier etc.
The UK GDPR applies to the processing of personal data that is:
- wholly or partly by automated means; or
- the processing other than by automated means of personal data which forms part of, or is intended to form part of, a filing system.
Examples that do not constitute as personal data and therefor are not subject to the UK GDPR include:
- information about a deceased person
- Information about companies
- Information about public authorities
- Truly anonymised personal data (It is important to understand what personal data is in order to understand if the data has been anonymised.)
What does this mean for me?
The GDPR act controls and regulates how businesses, organisations or the government process and handle data, specifically your personal information. It has reformed the laws that protect individual’s personal information. The EU agreed upon the GDPR Act and the Data Protection Act 2018 is the UK’s implementation of this.
Anyone or business who assumes responsibility for using personal data has to follow strict rules which have been put in place by the Data Protection Act 2018 called the ‘data protection principles’. These principles ensure that your data and personal information is
- Accurate and up to date
- Use of which, is specified
- Kept for no longer than necessary
- Handled securely, including protection against unlawful or unauthorised processing.
- Used fairly
- Used transparently
- Used lawfully
The seven data protection principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
- Accountability principle
The principles set out the lawfulness of processing, conditions for consent, conditions applicable to child consent, processing of personal data relating to criminal convictions and offences and processing which does not require identification.
Under the Data Protection Act 2018, you have the right to request what information organisations, businesses or the government hold on you and how they are using this. A list of examples includes but are not limited to:
- The right to be informed (how your data is being used)
- The right of access (access personal data)
- The right to rectification (have incorrect data updated)
- The right to erasure (have data erased)
- The right to restrict processing (stop or restrict the processing of your data)
- The right to data portability (allowing you to get and reuse your data for different services)
- The right to object (object to how your data is processed in certain circumstances)
You also have rights when an organisation is using your personal data for:
- automated decision-making processes (without human involvement) (AI)
- using your information to predict behaviours
- using your information to predict interests
- Any other use of profiling
You can find more information in regard to individual rights on the ICO website: Individual Rights
And more information in regard to the UK GDPR here:
If you feel your GDPR rights have been breached, you can;
- Lodge a complaint with the company or organisation using your data
- Lodge a complaint with the ICO
- Take legal action (either against the company or organisation, or potentially against the ICO)
Under data protection law, you may be entitled to take your case to court in the following circumstances:
- To enforce your rights under data protection law. If you believe they have breached your rights
- claim compensation for any damage caused by any organisation if they have broken data protection law, including any distress you may have suffered, or
- a combination of the two.
If you feel your rights under the DPA have been infringed, contact our lawyers. They are always happy to discuss your concerns. Feel free to call them on 0207 632 4300.