Sign-up to a data breach claim today - use our quick and easy form to begin your claim for thousands of pounds in compensation.
Head of policy and engagement at the Information Commissioner’s Office, Jo Pedder, points to useful guidance on the new EU General Data Protection Regulation that is set to come into force come May 2018.
The regulation will bring in some major changes as to how organisations are expected to look after personal data and the responsibilities in disclosing them to the authorities and affected individuals. The changes could mean huge punishments for organisations who fail to take their data protection responsibilities seriously.
As the U.K.’s representative for the EU’s Article 29 Working Party, the ICO has provided a lot of useful tips about the changes, including a publication of 12 steps to take right now ahead of the GDPR coming in effect on 25 May 2018:
The GDPR is set to change profiling, which is where an individual’s personality, behaviour, interests, habits and other characteristics are identified, analysed and predicted. Organisations may gather information like education, browser history, financial data, purchase history etc… in order to market goods and services they think an individual wants or needs.
Profiling has grown exponentially in the last few years to the stage where the presence of online personal data is rife. The GDPR is, however, set to increase the rights for data subjects and raise the bar on obligations for data controllers, which may result in huge changes to the way companies are advertising on the internet.
After 25th May 2018, organisations will need to show that the personal data they obtain is minimised, rather than gathering masses and masses of information in case it can be used for various purposes later. This information will need to be accurate given that inaccurate information can lead to organisations making the wrong classifications and decisions. The GDPR also calls for proper retention of obtained personal data by regularly reviewing the data to make sure it is still “relevant for the purpose.”
If an organisation is relying on consent for the legal basis of obtaining personal data, that consent is only valid if it is “freely given, specific, informed and unambiguous.”
However, there are some circumstances when such consent may not be needed:
The key word here is ‘necessary’. The GDPR will expect organisations to be able to evidence necessity. These new provisions should help to ensure that organisations aren’t just gathering huge amounts of data haphazardly to be put in a giant digital box for them to dig into whenever they want. It may also helpfully restrict the sale of information as well.
The content of this post/page was considered accurate at the time of the original posting and/or at the time of any posted revision. The content of this page may, therefore, be out of date. The information contained within this page does not constitute legal advice. Any reliance you place on the information contained within this page is done so at your own risk.
EasyJet admits data of nine million hacked
British Airways data breach: How to claim up to £6,000 compensation
Are you owed £5,000 for the Virgin Media data breach?
Virgin Media faces £4.5 BILLION in compensation payouts
BA customers given final deadline to claim compensation for data breach
Shoppers slam Morrisons after loyalty points stolen
Half a million customers can sue BA over huge data breach
Lawyers accuse BA of 'swerving responsibility' for data breach
The biggest data breaches of 2020
Fill out our quick call back form below and we'll contact you when you're ready to talk to us.