The largest shakeup to data protection is just around the corner, but why is it happening and who does it affect?
The General Data Protection Regulation, or GDPR, is the reason for the deluge of emails from companies you have ever handed your contact details over to, or purchased shopping from, are now clogging up your inbox.
Many are asking you to read their terms and conditions and confirm you wish to continue receiving correspondence. But do you actually have to do anything? In this guide we explain what GDPR is and whether it affects you.
What is the GDPR?
The GDPR is an an EU-wide set of rules around personal data. It applies to data used by businesses and organisations, sets standards for how it is used, brings in rules for reporting data breaches, and provides greater protection for digital privacy.
How will companies treat you and your data differently?
Businesses must be able to prove that the data they collect is relevant and for a specific purpose. It must also be accurate, secure and up to date.
Consumers will also now have the right to get clearer information about the data they are giving up and the right for that data to be forgotten, so privacy policies need to be written in plain English, not legal-speak. Additionally, you will be able to see what data has been processed and you will need to give active consent for your data to be taken.
If your data is breached, companies must quickly inform users within a 72 hour deadline or face a €10m (£8.75m), or 2pc of their turnover, and those found not to have followed the rules around processing data could face fines of €20m, or 4pc of turnover.
These are far greater than fines currently meted out than under current rules. TalkTalk was fined £400,000 by the Information Commissioner’s Office in 2016, a record, but this could have been up to €59m under the new rules. That said, the ICO is supposed to enact “proportionate” fines, so they may not be so steep.
What do you need to do?
If you are on a company's email list that you did not opt-in for, you may need to click on their link to give consent to continue being contacted. However, if you don’t want all these organisations to have your information, it will give you a chance to do some "Spring cleaning" with your data and email inbox.
Mathew Keshav Lewis, regulatory head of law services firm Axiom, said: "This barrage of emails may be a nuisance, and is only a small window into the huge changes that companies have to do for GDPR, but it gives everyone a chance to do some housekeeping of their data."
What about social networking sites?
In some cases you might be asked to comply with a site's data policy, or be denied the service. Facebook has been using this tactic for EU users, explicitly stating that Facebook users must comply with at least some of its data rules or they cannot use its service.
The rules state the data collected must be necessary for the service to work, but some have argued Facebook's demand for consent goes beyond this.
Facebook has said that GDPR could negatively impact user growth, as it is requiring users to accept its new terms to keep using its full service.
Do I need to look out for scams?
Yes. If you are concerned about an email, don't click the link. Double check to make sure it appears to be from who it says it is from, as GDPR phishing scams are prevent and taking advantage of the deluge of emails being sent by companies on the topic.
Rodney Joffe, chairman of Neustar International Security Council, warns: "There is no doubt that criminals will utilise GDPR emails as a scapegoat to attack users and potentially steal personal information.
"They are savvy and they know countless amounts of emails are likely to be shared over the next few weeks. Consumers may become targets of vicious cyber-attacks, including phishing and malware."