Posted on

Know your data protection rights

Cyber Safety & Data Protection

Know your data protection rights

The modern consumer is more easily lured away from sense and logic by the growing frenzy of “up to 70% off”, “free month for new customers”, and other lucrative and desirable siren calls of the internet.

An attractive price or offer can often detach us from the otherwise conscious protection of the data we are handing over about ourselves. Name, email address, phone number, home address and payment information are all details we trade almost on a daily basis in exchange for a product or service. To the receiver of the data however, it is worth much more than a ‘one-off’ sale. It can be used to market to you in a relentless attempt to entice further funds from your grasp, traded with other companies or sold to the highest bidder. Many companies will guard your data with good intentions, others may favour cost-cutting over your protection, the perfect victims for hackers and fraudsters.

Ever had a fraudulent phone call purporting to ‘fix your computer virus’? Ever been bombarded with marketing materials by phone, text, post, email – maybe even from a company you have never contacted before but provide related services to those companies you have bought from? Or is your email inbox rife with illegitimate invoices, account alerts or refunds?

Our complacency for handing over our personal information without doing basic research into who we are handing it over to, is increasing with every frivolous purchase or subscription.
But have no fear, help is at hand to translate that jargon filled legislation into rights you can understand how to protect. I head up the Legal Department at CyberCrime Services, where we aim to spread knowledge so you are armed to defend yourself against wrongdoing. When your data is held on a computer, on paper, or made up of photos, video or voice recording, you have extensive rights. These rights increased on 25 May 2018 when the General Data Protection Regulation (GDPR) was enacted into law in the UK.

1. Right to be informed

When your personal data is collected, the party collecting it should inform you about how and why the data is to be collected and used. This information should be easy for you to understand, concise, transparent, intelligible and easily accessible. If your personal data is being collected directly by the party using it, they should provide you will this information at the time of collection. If however, a third party collects the data (for example, Eventbrite collect your data for the organisers of the event when you sign up), then you should be given this information when the party using your data first contacts you

2. Right to access your personal information

You can request to have access to all the personal data a company has which relates to you, including recorded opinions, unless there is an overriding interest not to grant access, such as an ongoing investigation. You are entitled to know the reasons your data is being processed (‘processed’ means stored and used) and whether it will be shared to other companies. This request must be made in writing, and can incur a small fee (usually £10) until the GDPR comes into force which requires requests to be free. The company must respond within 40 days, however GDPR will reduce this to 1 month.

3.Right to object to your data being processed if likely to cause distress

You have the right to request the company stop or prevent processing your data if it causes unwarranted and substantial damage or distress. You have to explain why it has that effect and there are some exceptions. You do not have this right if you consented to the processing, if the processing is essential for the fulfilment of a contract you entered into or want to enter into, if the processing is necessary because of a legal obligation or to protect your ‘vital interests’.

4.Right to prevent processing for direct marketing

You can at any time ask a company in writing to stop or never use your personal data for direct marketing. Direct marketing is marketing directed at you personally by phone, email, post or text, rather than generic junk mail which is not addressed to a particular person. The company must stop direct marketing within a reasonable time of receiving your request, this is deemed around 28 days for electronic communications and 2 months for postal.

5.Right to object to automated decision making

I know what you’re thinking, what an earth is this? An example is if you apply for a loan through a website which uses algorithms and auto credit searches to give you an immediate automated decision. You can give written notice to stop or prevent a company making automated decisions with your personal data, or ask them to reconsider a decision made by automated means. You have 21 days to request an automated decision be reconsidered or a new decision made on a different basis. You also have a right to be informed when a decision made is automated. Some automated decisions are exempt from this right. The exemptions include those automated decisions required/authorised by legislation or made in preparation for a contract with the concerned individual, and are to give the individual something they have asked for, or if steps have been taken to protect the interests of the individual by, for example, putting an appeal process in place.

6. Right to have inaccurate personal data rectified, blocked, erased or destroyed

If a company has your personal information incorrect, you have a right to get it rectified, blocked, erased or destroyed. If this cannot be resolved between you and the company, you can make these requests to the court. If the incorrect information caused you damage, you are entitled to compensation. This does not apply however, if you or another organisation provided the incorrect information and it was recorded accurately.

7. Right to claim compensation for breach of the Data Protection Act

If you have suffered damage as a result of a company breaching the Data Protection Act, you are entitled to claim compensation through court. There is no guidelines suggesting the amount of compensation that can be awarded, however if an amount cannot be agreed between you and the company, the court will decide the amount.

8. Right to be forgotten

Also known as Data Erasure, this right will not provide an absolute right to be forgotten. It applies to data which is no longer needed for the purposes it was originally collected, data for which you have withdrawn consent or have objected to processing (if there if no overriding legitimate interest for the company to continue processing the data), data which was unlawfully processed, data which must be erased to comply with a legal obligation. Finally, it applies to personal data processed in relation to the offer of information society services to a child.

9. Right to data portability

The right to data portability will give you the right to use the data one company holds about you for your own uses or across multiple services. This right allows data to be transferred from one IT environment safely and securely to another. It only applies to personal data which an individual has provided, where the processing is based on the individual’s consent or for the performance of a contract, and when the processing is conducted by automated means. This information must be provided to you for free, in a commonly used and machine readable form, and within one month of your request.

So there you have it! But don’t forget, there are fraudsters out there who don’t play by the rules! Make sure to know the warning signs of fake companies and fraudulent communications. Follow CyberCrime Services on Facebook and Twitter for regular updates on trending scams, so stay one step ahead of the criminals. For more information about your rights, or for our legal services, get in touch at