Ukraine is in crisis, please donate right now if you can.

GDPR and data protection

After a series of high-profile scandals around some very big companies, everyone is more aware of how their data is being handled. A new piece of legislation, the GDPR, deals with this. What are your data rights? What is the GDPR? How can you make GDPR complaints? Resolver explains in our guide to data protection.

What is the GDPR?

The General Data Protection Regulation (GDPR) is a new set of rules that came into effect on 25 May 2018. Under the GDPR, you have extensive rights that protect your data. The GDPR allows you to make complaints through Resolver about a number of things to do with data, your personal information and how it is processed/shared.

Your main rights are:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • And rights to do with automated decision making and profiling.

These might seem complicated at first glance, but they’re actually pretty simple. First, companies have to tell you when they’re going to keep your data – and tell you how, why and when they’re going to use it.

Companies should give you access to your data. This means you should always be able to ask companies to give you a copy of your data. It’s as simple as that!

You should also be allowed to rectify and change the data that’s on file about you – and, in some cases, ask for it to be erased. If you want to, you can exercise your right to data portability and move your data around. Under certain circumstances, you can also ask a company to keep your data on file but to stop using it.

Data protection is regulated and enforced by the Information Commissioner’s Office (ICO). If you are unable to get anywhere with a company, you can always consider escalating your case to the ICO. They will be able to handle the majority of your GDPR complaints.

After the GDPR comes into effect on 25 May 2018, any company that doesn’t keep to the rules may be hit with a massive fine!

Your data and your rights

When are companies allowed to use my data?

Companies have to get your consent before they use your data. This means you’ll have to tick a box or agree to terms and conditions (or similar). You may have received a load of GDPR emails recently asking you to agree to updated terms and conditions – many companies will have been asking your permission to use your data.

There are some other reasons for companies to be handling your data – including if it is necessary to deliver a service you've signed up for. Generally speaking, a company has to have a good reason to be handling your data unless you've given your consent

I don’t want to receive marketing information

Companies should get your consent before sending you marketing emails. If you are receiving unwanted marketing emails, you should consider contacting the company to withdraw your consent. You can do this at any time through Resolver. If they didn't request your consent, you should consider making a GDPR complaint through Resolver.

If a company wants to send you a new type of marketing information, they should request consent from you wherever possible.

How do I get my data deleted?

You have the right to ask an organisation not to gather your information – and, in some cases, to erase any data they have on you.

Under some circumstances you may be able to get your personal data to be deleted. This is your “right to erasure”.

Companies have a month to respond to a request for erasure. Requests can be sent via Resolver.

A company is not obliged to erase your data if:

They have to process your data to exercise the right of freedom of expression and information;

  • Your data is being used in an investigation or any other legal proceedings;
  • Your data has to be used to carry out a task that’s in the public interest.

A company can also refuse your request if they think it’ll be extremely difficult to erase your data. In this situation, they can also choose to charge a reasonable fee for processing your request.

If you send a request, the company has a month to respond. If they don’t do so, they may have breached the GDPR, and you can escalate your case to the Information Commissioner’s Office (ICO).

In most cases, you should be able to have your personal data delete – although there are some exceptions

How do I see what data a company has on me?

You have the right to see a copy of the personal data a company holds about you.

Under the GDPR, firms have to keep you informed about the data they’re keeping about you.

You can always make a request for the information that a company has on file about you – although they are allowed to withhold information if releasing it would endanger someone else’s privacy or interfere with an investigation.

You can use Resolver to send a request via email. Companies have 30 days to provide your information.

How do I get personal information corrected?

Companies have to keep correct information about you. If you discover that a company has inaccurate information on file, you have the right to request that they change or remove the incorrect information.

You can do this by submitting a request via Resolver. Be sure to include any relevant proof (letters and identification etc.). If the company does not change the details to your satisfaction, they may be in breach of the Data Protection Act. If you believe this is the case, you can use Resolver to escalate your issue to the Information Commissioner’s Office (ICO).

Cold calls

If you’re receiving unwanted marketing calls or messages, you have the right to ask for them to stop. You can do this by sending a message through Resolver.

If you want to prevent other firms from sending you unsolicited marketing calls, you should consider registering with the telephone preference service (TPS).

Junk mail

If you’re receiving unwanted marketing calls or messages, you have the right to ask for them to stop. You can do this by sending a message through Resolver. After you’ve contacted a company, they are obliged to stop sending you mail within 28 days of the date of your message. If they don’t stop, you can escalate your case to the Information Commissioner’s Office (ICO).

If you want to prevent other firms from sending you unsolicited mail, you should consider registering with the mail preference service (MPS). The MPS is a free service set up by the direct marketing industry that aims to reduce the amount of junk mail you receive. Companies aren’t legally obliged to check the MPS list before sending materials, but most do.

Data leaks

Data leaked by company

Companies are responsible for keeping your data secure. If your data has been lost, you may be due compensation. Use Resolver to contact the company who held your information.

Under the GDPR, companies have to tell the ICO as soon as a breach occurs. If a data breach places you at risk of identity theft or loss of personal safety, for example, the company should tell you as soon as they can.

If you’ve suffered either distress or damages because a company has lost your data, you may be due compensation. When you approach the company, you should outline any distress or losses caused by their negligence. In addition, be prepared to explain the amount of compensation you think is appropriate.

If the company is unwilling to pay out compensation (or are not willing to pay out the amount of compensation you believe you are due), you will need to take your case to the small claims court.

Before doing so, if you are unhappy with the way the company has handled your complaint, you can escalate your case to the Information Commissioner’s Office (ICO). While the ICO cannot force companies to pay you compensation, they can give you evidence that will help you in your court case.

Outside of seeking compensation, you should also take steps to protect yourself. If your data has been lost, you should change any similar usernames and passwords that you may use. Check your credit report to make sure that there has been no credit taken out in your name by fraudsters.

If a court finds that you are eligible for compensation, it is up to the judge to decide upon an appropriate amount of compensation. In most cases, the matter can be settled in the Small Claims Court.

My data was shared without permission!

Companies should make you aware when they share your personal data – and should let you know what it’s being used for. This will normally be done by providing a tick-box within a service or by giving details in the terms and conditions.

If a company has given out your personal information without your permission, you may be eligible for compensation if you have suffered financial losses or distress as a result. You should first contact the company who has shared your information to see if they are willing to resolve the issue. If they are unwilling to provide compensation (or will not pay an appropriate amount of compensation), you should escalate your case to the relevant Ombudsman (for example, the Financial Ombudsman is capable of forcing a debt collection firms or mortgage companies to pay out compensation for sharing your details without permission).

Under the GDPR, companies are responsible for your data being safe even when it is being handled by a company they use to fulfil part of their business!

Data shared due to a merger or takeover

If your information was being held by a company and that company is taken over or merged with another organisation, your data may be shared in a way that wasn’t originally planned by the company who first held your data. This is allowed, but your data should still be shared in a way that is fair. Companies should inform you when they get your data and should let you know that the way your data is being handled will change.

Helping you with Privacy and data protection concerns services

You can raise issues with 5495 companies in Privacy and data protection concerns services
Key companies include:

Working with

With Resolver you can send your case to key ombudsmen and regulators including: