As well as the right to withdraw consent at any time regarding how our data is held and what is done with it, the Data Protection Act 2018 gives us quite considerable power over internet companies and other organisations which use the web as a portal.
Subject access requests
It has been possible to request exactly what data an organisation holds about you since the Data Protection Act of 1998; this is done by submitting a subject access request (SAR). In this case, you as the user are the subject, and are requesting access to your own information. The main improvements of the 2018 Act were to speed up the process and make it free of charge in most cases.
By law, a company has to respond to a legitimate SAR within a month of receiving it. If your request is deemed excessive or unfounded, the holder of your data may refuse, delay or charge for this process; if so, they have to inform you of their decision within the same time period.
Legitimate reasons for using data
Once a SAR is answered, the subject (you) will be able to see if your data is being used for legitimate reasons. Under the terms of the Act, there are six of these; most of these are common sense (such as consent, which has been given in all cases), and all are there to protect you as a user.
Importantly, the organisation receiving the SAR must disclose all aspects of the data they hold, and reply in plain language, rather than disguise it in legal terminology. From this starting point, it should be easy to determine whether the business or other organisation is holding and using your data for legitimate reasons.
Erasing or correcting your data
One of the most powerful rights enshrined in the Act is the right to demand your data be erased; this is also known as the right to be forgotten. Legitimate reasons for having your data erased are that you don’t require a service any longer, you object to your data being used for marketing, or you haven’t given consent.
Also, if a company has data which is inaccurate, you can inform them and demand that they amend it. This is often in the interests of the business, so is likely to be carried out without delay. Again, the organisation has one month to comply, or reply with their reasons for not doing so.
Fines and compensation
Complying with GDPR is within service providers interests for many reasons; not the least of which are the fines which they can incur for breaking the law. The maximum is set at 20 million euros, or 4% of global annual income, whichever is the higher.
Also, you as the subject have a number of routes by which to claim compensation; job holders employed in the use of data can be sued separately, and for a wide range of reasons. This is another way GDPR encourages compliance by the holder of data.
Check out the 2018 Data Protection Act now; it really is more than a source of inconvenient popups.