What is GDPR and why do we need it?
As technology develops and our private data is being used and shared in countless new ways, people are becoming increasingly worried about security – and it’s understandable. This new law will help address these concerns.
There are two key reasons why GDPR is being introduced – to bring all EU member states under one common regulation, and to update regulations to reflect our new digital age, giving you more control.
Different countries in the EU follow different rules and regulations when it comes to data sharing and privacy, which can get quite confusing when data is being shared between people and companies in different countries. GDPR will be enforced across all 28 EU member states, meaning everyone is following the same rules.
In the UK, companies are still following the 1998 Data Protection Act to ensure the safety of people’s data – but we can probably all agree that technology and data sharing has developed just a bit since 1998.
This means that the current regulation may not be entirely suitable for the needs of consumers and the types of technology we’re seeing today. GDPR will replace the Data Protection Act to better protect our data and give us some new rights.
This is great news, considering huge companies like XBOX, Gmail, Uber (opens in a new window) and Three (opens in a new window) all reported major data breaches last year. In fact, the UK government reports (opens in a new window) that 46% of all UK businesses have identified at least one data breach or cyber attack in the last 12 months, and that bigger companies (those making a profit of over £2million a year) are the most likely to identify a breach. Scary stuff!
What data does it protect?
When people talk about technology and digital developments, there’s always a focus on data. But what data do they mean? Well, GDPR aims to protect any personal data a company holds about you – including your name, address, email address, images, social networking accounts, IP address or medical history.
It will also cover more sensitive data such as your sexual orientation, your genetics, biometrics (such as your fingerprint ID), your political views or any trade union memberships.
How will it affect UK businesses?
Essentially, GDPR will affect everyone in all 28 EU member states, from businesses big and small, to customers and consumers.
When it comes to implementing GDPR, the biggest changes will be seen by businesses rather than consumers – since they’re the ones who will have to adjust the way they handle data to align with the new legislation! Some businesses will even need to appoint a Data Protection Officer to make sure all their data protection policies are up to scratch.
There are hefty penalties for those who don’t comply, including a fine of up to €20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher – so they definitely don’t want to be caught on the wrong side! Any serious data breach also needs to be reported to the relevant authorities within 72 hours, and if there’s a risk involved to the data subject (i.e the people the data concerns) they’ll have to inform their customers too.
How will GDPR affect me?
While businesses will have to make changes to their data policies in preparation for the new regulations, consumers don’t have to do anything in particular to prepare.
That said, individual consumers like you will probably still notice some changes. You’ll probably find that when you buy products online or sign up to newsletters, there will be more obvious checkboxes relating to how the company can use your data – for example to send you emails, or share data with a third party. This is because you now need to opt in to these types of communications and data sharing, rather than having to opt out.
GDPR gives you a number of ‘rights’ when it comes to your data, including:
The right to be informed – this one’s pretty self-explanatory; you have a right to know how your data will be managed and shared by a company.
The right to access your personal data – again, quite straightforward. You can ask any company to share with you the data they have about you.
The right to rectification – this just means you can update your data if it’s inaccurate or if something is missing.
The right to erasure – nothing to do with the band, we’re afraid! This just means that you have the right to request that a company deletes all or parts of the data they hold about you. However, there are some exceptions here – for example, some information can be held by employers and ex-employers for legal reasons, while banks and banking services like us can’t completely erase your financial records.
The right to restrict processing – if you think there’s something wrong with the data being held about you, or you aren’t sure a company is complying to rules, you can restrict any further use of your data until the problem is resolved.
The right to data portability – this means that if you ask, companies will have to share your data with you in a way that can be read digitally – such as a pdf. This makes it easier to share information with other companies, such as your bank details when applying for a loan.
The right to object – you can object to the ways your data is being used. This should make it easier to avoid unwanted marketing communications and spam from third parties.
Rights in relation to automated decision making and profiling – this protects you in cases where decisions are being made about you based entirely on automated processes rather than a human input.
Whether or not you exercise your new rights is up to you – the main thing to remember is that you have rights relating to your data that they are there if you need them.
A word from B
Since we operate in the EU and process the data of EU residents, B will also be moving to GDPR to make sure your data is as safe as possible. You don’t need to take any action just now, but we’ll let you know if there are any changes to your data that you need to know about! In the meantime, get in touch (opens in a new window) if you’ve got any questions or worries about the new regulation.
Fair Processing Notice
Our Fair Processing Notice describes the categories of personal data we process and for what purposes.
We are committed to collecting and using such data fairly and lawfully in accordance with the requirements of the General Data Protection Regulations (GDPR).
This is just a summary. You can read the full version at https://www.youandb.co.uk/terms-and-privacy/fair-processing-notice (opens in a new window)
Who we are
Clydesdale Bank PLC trades using the brands Clydesdale Bank, Yorkshire Band and ‘B’. Our Fair Processing Notice explains your privacy rights and how we gather, use and share information about you. You can get in touch with our Data Protection Officer by email at CYBG.data.protection.officer.queries@CYBG.com (opens in a new window) or by post at Group Data Protection Officer, Group Risk, Level 3, 51 West George Street, Glasgow G2 2JJ. See sections 1 and 2 of the Fair Processing Notice for more details.
You have the right to object to how we process your personal information. You also have the right to access, correct, sometimes delete, and restrict the personal information we use. In addition, you have a right to complain to us and to the data protection regulator. Find out the best way to be in touch with us at youandb.co.uk/help (opens in a new window) or visit us in branch. Visit ico.org.uk/global/contact-us (opens in a new window) for contact details for the Information Commissioner’s Office. Section 3 of the Fair Processing Notice gives you more information about your privacy rights.
How we gather personal information
In addition to the information you provide to us directly, we collect personal information in a number of ways, for example from third party credit reference agencies and from looking at how you have used other products and services we offer. Sometimes for your safety and for legal reasons we collect personal information by recording and monitoring calls and from CCTV. We also record calls for training and quality control. See section 5 of the Fair Processing Notice for more details about how we gather personal information.
How we use your personal information
We use your personal information to provide you with products and services (including credit checks), to comply with the law and enforce our legal rights (including debt recovery), and to improve and market our products and services. Sometimes we use automated processes to make decisions about you and to profile you. Sometimes we need to use sensitive personal information such as medical details to make available products you have requested and to give you the best service. Find out more about how we use your personal information in sections 6 and 7 of the Fair Processing Notice.
Our products and services
We need some personal information before we can provide our products and services to you, for example to allow us to check your identity. In some cases we won’t be able to provide products and services to you if we don’t have all the personal information we need. Find out more in section 7 of the Fair Processing Notice.
Sharing and transferring personal information
We share personal information with our suppliers and other third parties where needed to provide you with the best service. We also share personal information with regulators, other banks and law enforcement. Sometimes we transfer personal information to other countries outside the UK for these purposes, where suitable protection is in place. Sections 9 and 10 of the Fair Processing Notice will give you further details about this.
Keeping personal information.
We keep your personal information securely for as long as we need to for the purposes described in section 11 of the Fair Processing Notice.
Sometimes we need your consent to use your personal information (for example for marketing). We won’t always need consent to use personal information – for example if we need it to meet regulatory requirements or to perform and contract with you. Where you have given us consent, you have the right to withdraw it at any time. See sections 12 and 13 of the Fair Processing Notice for more details.
We want the best for our customers and sometimes we work with other companies to offer you the best products and services. With your consent, we or our partners will contact you to let you know about products or services from our partners where we think that will save you money or make your life easier. See Section 6 ‘How we use your personal information’, clause 6.10 of the Fair Processing Notice for more information about our partners.
This blog is a bit of fun and not intended to influence your decisions in any way. The content of the blog is reliable at the time of publishing, but we can’t guarantee that it is neither error nor omission free, beyond our knowledge. The links are there for you to explore if you wish, but we don’t have any connection with the third party sites, nor responsibility for them or their content.