INSUBCONTINENT EXCLUSIVE:
Image copyrightGetty ImagesNew data protection rules will come into force in the UK in May
The EU's General Data Protection Regulation (GDPR) will change how companies and individuals collect, store and share data
With the biggest change to data privacy in the UK since 1998 coming up, Reality Check explains what you need to know.1
What is the GDPRThe GDPR will give people more control over how organisations use their personal information, or data
It's a piece of EU legislation that was passed in 2016
It aims to create identical data privacy laws across all EU countries
Under the new rules, companies who rely on an individual's consent to collect their data will face tougher restrictions.The GDPR says that
customers need to actively opt in
Companies will need to use language that is easy to understand, and tell people that they can withdraw consent at any time.Firms must also
report any data breaches to authorities within 72 hours
Individuals will be able to request information about how a company might be using their data, what data it collects, and why
Why does it matterIn the UK, the GDPR will replace the Data Protection Act 1998.Today, we create a huge amount of data - from watches
tracking calories and sleep, to apps for managing finances or messaging friends
So, the GDPR was created to bring data protection rules up to date with how much data we produce, and how companies are using it
With recent data breaches at companies such as Facebook, Uber and MyFitnessPal, the regulation will also give companies tougher guidelines
Image copyrightGetty Images3
When is it coming inThe new law will apply in all EU states from 25 May 2018
Who does it apply toThe GDPR will apply to all data "controllers" or "processers".Controllers give direction on how and why personal data is
processed (such as a company), while a processor carries out the action of collecting the data (such as an IT apprentice)
The regulation will also apply to individuals
For example, a hairdresser who collects email addresses of customers to send a newsletter to needs to comply with the new rules.The GDPR
will apply to anyone offering services in the EU, regardless of where it is headquartered
What does personal data meanThe GDPR applies to all personal data
That means any information that could identify a living person, directly or indirectly
This could include their name, location or their phone number
Some personal information is classed as sensitive by the GDPR, and needs more protection
That could include ethnic origin, sexual orientation, religious belief, trade union membership and more
Image copyrightGetty Images6
Can I access data about myselfAnyone can ask a company to confirm what personal data it has about them
That person has the right to be provided with a copy of the information - as well as the reason for that company collecting their personal
data and who gets to see it
The company must supply this free of charge and in an accessible way, such as on email, within 30 days of the request, under the
GDPR.Individuals can also ask for data to be corrected, if it's not accurate
What is the right to be forgottenPeople can also ask for their personal data to be deleted at any time - if it's no longer relevant
This is known as the right to be forgotten
This right also applies online
Someone could ask a company that has made their personal data available online - such as a search engine - to delete it, for example.Those
companies are obligated to inform others that the owner of the personal data has requested the right to be forgotten
The data, links to it and copies of it, must be deleted
How will the GDPR affect my businessCompanies with more than 250 employees must document all of the data they are processing, including why,
how customers opted in, who can see the data, and a description of their security measures
Image copyrightGetty ImagesSmaller companies might need only to document data they process on a regular basis, or data they process that is
Some business groups have raised concerns about the impact the new rules could have, saying many companies are unaware of the changes, and
that recording this additional information will be a burden
The Information Commissioner's Office (ICO) is responsible for enforcing the GDPR in the UK
It has published a 12-step guide on how businesses can get ready.9
Can I be fined for failing to complyYes - the GDPR allows the ICO to issue fines to anyone failing to comply.The ICO can issue fines of up
to about £17.5m, or 4% of a company's global turnover, whichever is higher
Fines can be issued for misusing data, data breaches, or failing to process an individual's data correctly
Will it still apply after the UK leaves the EU GDPR rules will continue to apply after the UK leaves the EU
The government's Data Protection Bill, means that GDPR rules will essentially be replicated in UK law
The bill also adds the ability for individuals to request that social media companies delete any posts they made when they were a child, and
expands the definition of personal data to include IP addresses, internet cookies - and even DNA
Read the ICO's full guide to the GDPR here
Read more from Reality CheckSend us your questionsFollow us on Twitter
