Is your cat’s name protected by the GDPR? How is your personal information protected right now? Does Brexit have any effect on it? Who do you turn to if your rights under the GDPR have been violated?
Photograph: https://www.freepik.com/vectors/people
Let’s start by establishing what counts as ‘personal information’. Is your cat’s name personal enough that it would fall under the control of GDPR?
The easy answer – it depends! Personal data is information that relates to an identified or identifiable individual. What identifies an individual could be as simple as a name, a number or other identifiers such as an IP address or a cookie identifier. If it is possible to identify an individual directly from the information you are processing, then that information may be personal data.
So, if the name of your cat is all of the information about you that you have disclosed and it is not an extra unique name; then this is not exactly personal information. This is because you cannot be identified just through this information alone. Protections in place
Great, we know what ‘personal information’ is. Now, what rules provide for its protection? For now, it is the European GDPR (General Data Protection Regulations) that we rely on and here are the most important take-aways:
Although the UK is now “a third country” under the EU’s GDPR (i.e. a country outside of the EU without an adequacy decision), a provision in the agreement signed by the UK and EU in December 2020 secures an interim period of six months of unrestricted data flow between the two blocs. This means that until the 31st of July 2021 personal data is allowed to be transferred between the UK and EU unrestricted as before.
Ensuring an EU equivalent level of personal data protection is very important for the UK, as it is the only way to be deemed adequate by the EU and thus ensure the free, uninhibited flow of data between the two countries. In order to provide equivalent legislation to the European Union, the UK has decided to create a whole “new” domestic law known as the UK-GDPR (United Kingdom General Data Protection Regulation), which is essentially the same as the European original. It serves as a merger between two types of previous legislation in the UK, namely the European GDPR and the Data Protection Act 2018.
We have established that if the UK is granted an adequacy decision from the EU by the 31st of July 2021, there will be uninhibited flow of personal data information between the EU Member States and the UK, similarly to the way it was up until now. However, what will happen if the EU does not recognise the UK-GDPR as adequate legislation? In this case, the contracts for information exchange which UK companies have with European countries, will have to be altered to include the so called SCC (Standard Contractual Clauses). These basically provide safeguard on data protection for the data to be transferred internationally. Another option (if someone’s personal information processing is just a one-off) is to make the person whose data will be processed sign a consent form.
You can report your concerns and file a complaint against an organisation which is not complying with the data protection regulations to the Information Commissioner’s Office on this website: https://ico.org.uk/make-a-complaint/your-personal-information-concerns/ .
By Bojidara Simeonova, Law Student at Queen Mary University of London