Your Data and Personal Information
We're all increasingly concerned about how our data is being stored – but what exactly are the rules regarding personal data? What can companies do with my personal information? Resolver explores in our guide to your data and personal information.
Need to make a complaint about personal data? Resolver can help you for free.
Your rights
From 25 May onwards, consumers will be protected by the General Data Protection Regulation (GDPR).
Under the GDPR, you have extensive rights that protect your data.
Your main rights are:
- The right to be informed;
- The right of access;
- The right to rectification;
- The right to erasure;
- The right to restrict processing;
- The right to data portability;
- The right to object;
- And rights to do with automated decision making and profiling.
These might seem complicated at first glance, but they're actually pretty simple. First companies have to tell you when they're going to keep your data – and tell you how, why and when they're going to use it.
Companies should give you access to your data. This means you should always be able to ask companies to give you a copy of your data. It’s as simple as that!
You should also be allowed to rectify and change the data that’s on file about you – and, in some cases, ask for it to be erased. If you want to, you can exercise your right to data portability and move your data around. Under certain circumstances, you can also ask a company to keep your data on file but to stop using it.
Data protection is regulated and enforced by the Information Commissioner’s Office (ICO). If you are unable to get anywhere with a company, you can always consider escalating your case to the ICO.
Data leaks
Data shared without permission
Companies should make you aware when they share your personal data – and should let you know what it’s being used for. This will normally be done by providing a tick-box within a service or by giving details in the terms and conditions.
If a company has given out your personal information without your permission, you may be eligible for compensation if you have suffered financial losses or distress as a result. You should first contact the company who has shared your information to see if they are willing to resolve the issue. If they are unwilling to provide compensation (or will not pay an appropriate amount of compensation), you should escalate your case to the relevant Ombudsman (for example, the Financial Ombudsman is capable of forcing a debt collection firms or mortgage companies to pay out compensation for sharing your details without permission).
Data shared due to a merger or a takeover
If your information was being held by a company and that company is taken over or merged with another organisation, your data may be shared in a way that wasn’t originally planned by the company who first held your data. This is allowed, but your data should still be shared in a way that is fair. Companies should inform you when they get your data and should let you know that the way your data is being handled will change.
Information leaked by employer
Your employer is legally responsible for any data leaks that are caused by either your employer or another employee. If the leak has not been prevented and could result in the risk of identity theft or potential financial loss, you may be eligible for compensation.
Data leaked by company
Companies are responsible for keeping your data secure. If your data has been lost, you may be due compensation. Use Resolver to contact the company who held your information.
Under the GDPR, companies have to tell the ICO as soon as a breach occurs. If a data breach places you at risk of identity theft or loss of personal safety, for example, the company should tell you as soon as they can.
If you’ve suffered either distress or damages because a company has lost your data, you may be due compensation. When you approach the company, you should outline any distress or losses caused by their negligence. In addition, be prepared to explain the amount of compensation you think is appropriate.
If the company is unwilling to pay out compensation (or are not willing to pay out the amount of compensation you believe you are due), you will need to take your case to the small claims court.
Before doing so, if you are unhappy with the way the company has handled your complaint, you can escalate your case to the Information Commissioner’s Office (ICO). While the ICO cannot force companies to pay you compensation, they can give you evidence that will help you in your court case.
Outside of seeking compensation, you should also take steps to protect yourself. If your data has been lost, you should change any similar usernames and passwords that you may use. Check your credit report to make sure that there has been no credit taken out in your name by fraudsters.
If a court finds that you are eligible for compensation, it is up to the judge to decide upon an appropriate amount of compensation. In most cases, the matter can be settled in the Small Claims Court.
Marketing
I don't want to receive marketing information
Companies should get your consent before sending you marketing emails. If you are receiving unwanted marketing emails, you should consider contacting the company to withdraw your consent. You can do this at any time through Resolver.
If a company wants to send you a new type of marketing information, they should request consent from you wherever possible.
Cold calls
If you’re receiving unwanted marketing calls or messages, you have the right to ask for them to stop. You can do this by sending a message through Resolver.
If you want to prevent other firms from sending you unsolicited marketing calls, you should consider registering with the telephone preference service (TPS).
Junk mail
If you’re receiving unwanted marketing calls or messages, you have the right to ask for them to stop. You can do this by sending a message through Resolver. After you’ve contacted a company, they are obliged to stop sending you mail within 28 days of the date of your message. If they don’t stop, you can escalate your case to the Information Commissioner’s Office (ICO).
If you want to prevent other firms from sending you unsolicited mail, you should consider registering with the Mail Preference Service (the MPS). The MPS is a free service set up by the direct marketing industry that aims to reduce the amount of junk mail you receive. Companies aren’t legally obliged to check the MPS list before sending materials, but most do.
Managing my personal data
Requesting personal data
You have the right to see a copy of the personal data a company holds about you.
Under the GDPR, firms have to keep you informed about the data they’re keeping about you.
You can always make a request for the information that a company has on file about you – although they are allowed to withhold information if releasing it would endanger someone else’s privacy or interfere with an investigation.
You can use Resolver to send a request via email. An organisation has 40 days to respond, and can charge you up to £10 in administration fees.
I want my personal data to be deleted
Under some circumstances you may be able to get your personal data to be deleted. This is your “right to erasure”.
Companies have a month to respond to a request for erasure. Requests can be sent via Resolver.
A company is not obliged to erase your data if:
- They have to process your data to exercise the right of freedom of expression and information;
- Your data is being used in an investigation or any other legal proceedings;
- Your data has to be used to carry out a task that's in the public interest.
A company can also refuse your request if they think it'll be extremely difficult to erase your data. In this situation, they can also choose to charge a reasonable fee for processing your request.
Excessive information held
Companies are responsible for ensuring that they only hold relevant information – and the amount of information they hold should not be excessive.
This means that companies shouldn’t be hoarding massive amount of ridiculously detailed information about you – a shoe company shouldn’t want to know about how many times you buy falafel, for example.
If you believe that a company is holding excessive information about you, you should use Resolver to request that they stop. If they refuse, they may be in breach of the Data Protection Act. In the event that they are, you can escalate your case to the Information Commissioner’s Office (ICO).
Stop company from holding personal information
You have the right to ask an organisation not to gather your information – and, in some cases, to erase any data they have on you.
Under some circumstances you may be able to get your personal data to be deleted. This is your “right to erasure”.
Companies have a month to respond to a request for erasure. Requests can be sent via Resolver.
A company is not obliged to erase your data if:
- They have to process your data to exercise the right of freedom of expression and information;
- Your data is being used in an investigation or any other legal proceedings;
- Your data has to be used to carry out a task that’s in the public interest.
A company can also refuse your request if they think it’ll be extremely difficult to erase your data. In this situation, they can also choose to charge a reasonable fee for processing your request.
If you send a request, the company has a month to respond. If they don’t do so, they may have breached the GDPR, and you can escalate your case to the Information Commissioner’s Office (ICO).
Company holding inaccurate information
Companies have to keep correct information about you. If you discover that a company has inaccurate information on file, you have the right to request that they change or remove the incorrect information.
You can do this by submitting a request via Resolver. Be sure to include any relevant proof (letters and identification etc.). If the company does not change the details to your satisfaction, they may be in breach of the Data Protection Act. If you believe this is the case, you can use Resolver to escalate your issue to the Information Commissioner’s Office (ICO).