Reality Check: Who controls your data?

25 April 2018

Close up image of a young woman's hand sending a text message on a smartphone.

By Lora Jones

Business Reporter, BBC News

New data protection rules will come into force in the UK in May.

The EU's General Data Protection Regulation (GDPR) will change how companies and individuals collect, store and share data.

With the biggest change to data privacy in the UK since 1998 coming up, Reality Check explains what you need to know.

The GDPR will give people more control over how organisations use their personal information, or data.

It's a piece of EU legislation that was passed in 2016. It aims to create identical data privacy laws across all EU countries.

Under the new rules, companies who rely on an individual's consent to collect their data will face tougher restrictions.

The GDPR says that customers need to actively opt in. Companies will need to use language that is easy to understand, and tell people that they can withdraw consent at any time.

Firms must also report any data breaches to authorities within 72 hours.

Individuals will be able to request information about how a company might be using their data, what data it collects, and why.

2. Why does it matter?

In the UK, the GDPR will replace the Data Protection Act 1998.

Today, we create a huge amount of data - from watches tracking calories and sleep, to apps for managing finances or messaging friends.

So, the GDPR was created to bring data protection rules up to date with how much data we produce, and how companies are using it.

With recent data breaches at companies such as Facebook, Uber and MyFitnessPal, the regulation will also give companies tougher guidelines on how they can use data.

Young woman uses a tablet computer in the office late at night.

Getty Images

3. When is it coming in?

The new law will apply in all EU states from 25 May 2018.

4. Who does it apply to?

The GDPR will apply to all data "controllers" or "processers".

Controllers give direction on how and why personal data is processed (such as a company), while a processor carries out the action of collecting the data (such as an IT apprentice).

The regulation will also apply to individuals. For example, a hairdresser who collects email addresses of customers to send a newsletter to needs to comply with the new rules.

The GDPR will apply to anyone offering services in the EU, regardless of where it is headquartered.

5. What does personal data mean?

The GDPR applies to all personal data. That means any information that could identify a living person, directly or indirectly.

This could include their name, location or their phone number.

Some personal information is classed as sensitive by the GDPR, and needs more protection. That could include ethnic origin, sexual orientation, religious belief, trade union membership and more.

Facebook to exclude billions from European privacy laws

Getty Images

6. Can I access data about myself?

Anyone can ask a company to confirm what personal data it has about them.

That person has the right to be provided with a copy of the information - as well as the reason for that company collecting their personal data and who gets to see it.

The company must supply this free of charge and in an accessible way, such as on email, within 30 days of the request, under the GDPR.

Individuals can also ask for data to be corrected, if it's not accurate.

7. What is the right to be forgotten?

People can also ask for their personal data to be deleted at any time - if it's no longer relevant. This is known as the right to be forgotten.

This right also applies online. Someone could ask a company that has made their personal data available online to delete it, for example.

Those companies are obligated to inform others that the owner of the personal data has requested the right to be forgotten. The data, links to it and copies of it, must be deleted.

Companies with more than 250 employees must document all of the data they are processing, including why, how customers opted in, who can see the data, and a description of their security measures.

Two men and a women gathered around a dual screen in an office.

Getty Images

Smaller companies might need only to document data they process on a regular basis, or data they process that is sensitive.

GDPR: Are you ready for the EU's huge data privacy shake-up?

Some business groups have raised concerns about the impact the new rules could have, saying many companies are unaware of the changes, and that recording this additional information will be a burden.

The Information Commissioner's Office (ICO) is responsible for enforcing the GDPR in the UK. It has published a 12-step guide on how businesses can get ready.

9. Can I be fined for failing to comply?

Yes - the GDPR allows the ICO to issue fines to anyone failing to comply.

The ICO can issue fines of up to about £17.5m, or 4% of a company's global turnover, whichever is higher.

Fines can be issued for misusing data, data breaches, or failing to process an individual's data correctly.

10. Will it still apply after the UK leaves the EU?

GDPR rules will continue to apply after the UK leaves the EU.

The government's Data Protection Bill, means that GDPR rules will essentially be replicated in UK law.

The bill also adds the ability for individuals to request that social media companies delete any posts they made when they were a child, and expands the definition of personal data to include IP addresses, internet cookies - and even DNA.

Read the ICO's full guide to the GDPR here.

1. What is the GDPR?

2. Why does it matter?

3. When is it coming in?

4. Who does it apply to?

5. What does personal data mean?

6. Can I access data about myself?

7. What is the right to be forgotten?

8. How will the GDPR affect my business?

9. Can I be fined for failing to comply?

10. Will it still apply after the UK leaves the EU?

More on this story