The flagship day of the 25 May 2018 has passed and the General Data Protection Regulations (GDPR) is now a key part of UK law. This represents the biggest overhaul of data security with the individual at its heart since 1998. Everyone has probably had at least ten emails before this date, from companies and organisations storing/processing their data. This represented the first real incarnation of the spirit of the legislation, giving individuals more control over their data. There is still plenty of conjecture as to how big an impact these regulations will have.

Subject access requests made easier

The Data Protection Act 1998 introduced Subject Access Requests (section 7).

This is the right of an individual to request disclosure of data/information held about them. The cumbersome process and the fees, however, often involved watered down this right.

GDPR (article 15) broadened this right, making it easier for individuals to control what is done with their data. Importantly, this legislation has removed the right to levy a charge (£10, £50 for health records), for these requests.

Introducing 'warm' calling

The duty placed on data-holders to disclose the purpose for which they store data represents an obstacle for cold-callers. More often than not, prospective call-makers are not the ones who obtain the data in the first place. Previously, companies have used terms and conditions hidden behind pre-ticked consent boxes – to allow them to pass personal data on to companies who practice prospective calling.

This has often been a lucrative practice.

There is much information out there about how, in practical terms, the much-deployed act of cold-calling will be curtailed under the GDPR - this is in terms of detecting the offenders. However, the spirit of GDPR gives hope to individuals worried about who has access to their data and what they can do with it. Essentially, the legislation sets out that the purpose/use of the data should be disclosed to individuals. This conflicts with the essence of cold-calling. Therefore, there must be some disclosure of the intent to pass data on for prospective calls/approaches, making it "luke-warm calling". There is a huge grey area, around being able to use information in pursuit of “legitimate interests” (article 6). Clarity on this is what is required going forward.

Breaches of GDPR

The procedure for reporting breaches of the GDPR is via a complaint to the Information Commissioner’s Office (ICO - GDPR Section 15). The full impact and application of GDPR maybe some time in coming.

That said, within 48 minutes of legislation going live – campaigner Max Schrems launched the first complaint. This concerns the use of "forced consent" – claiming that companies ban users from services for not consenting to their data disclosure policies, Facebook is amongst the organisations included in this complaint.

Awaiting the outcome

Companies deploying cold-calling will be biting their nails regarding the outcome of this first complaint. If Schrems is successful it could cut off a tactic deployed to supply companies with personal data from which to base cold-calling campaigns. And if Schrems is successful this would send out a key message regarding the impact on such practices of organisations. It may lead to more complaints. Especially by individuals who will start seeing the tide turning in their favour.

The role of and approach by the ICO, regarding complaints made under the GDPR – is key to understanding the direction of potentially sweeping legislation.