The new GDPR discussion thread

[BankFodder]

If you have any comments, questions, insights or suggestions about the new GDPR regime which comes in force on 25 May, please post them here.

 

New template here

[BankFodder]

If your situation is urgent and you need to send an SAR then you should do it as soon as possible. However, if it's not screaming at you then you might be better off waiting until 25 May and using our new template which will be available then.

 

The time limit for satisfying the new GDPR disclosure request is one month – as opposed to 40 days now. So even if it is screamingly urgent, if you are reading this on 15 May then it is not worth sending an SAR immediately. You may as well wait the extra 10 days because you are so get your disclosure on about the same date.

 

The new GDPR obliges the data controller/processor to provide you with your disclosure free of charge.

 

Also you can require them to disclose what they are doing with your data, how they acquired it and with whom they have shared it.

 

Please be aware that there is a provision in the new GDPR that if the data controller/processor considers that your SAR is "manifestly unfounded" then they can require that you pay them their administrative charges. There doesn't seem to be any limit to these other than they must reflect actual costs. However, it is possible that companies will use this as a way of discouraging people from seeking their data and this could be open to abuse. We will have to see.

 

Another interesting question in relation to administrative charges is whether they will calculate those charges in advance of having conducted the data search or whether they will conduct the data search and then calculate the fee accordingly.

 

It seems difficult to imagine that they would be able to come up with a figure before carrying out search as they may not know how much trouble they have to go to or how much material there will be. It is all open to interpretation – and of course abuse.

 

It is fairly certain that the usual suspects – especially the banks – will look for ways to discourage people from accessing their data. In the past, Lloyds bank and NatWest have been particularly bad and have tried to persuade their customers that they only keep data going back six years. Of course this was a lie.

 

Another feature of the new GDPR is that where there is a group of companies, you do not have to make a request to each entity within the group. Each group of companies is required to have one data controller and it is simply necessary to address your SAR to this data controller who is then obliged to make sure that your SAR is satisfied by all of the members of the group. This makes it more difficult for companies such as Lloyds to suggest that as their archive is in a separate place and over, it cannot be accessed.

 

In fact last year I had two SARs declined by the Lloyds SAR department because they didn't have the data and it was being dealt with by different department. This is typical of the way that Lloyds attempts to frustrate people who want to simply assert their statutory rights. I'm pleased to say that the information Commissioner has provided an opinion that Lloyds was probably in breach of both of these SARs.

 

We will have to see how tricky the data controllers become about this kind of thing. However, we suggest that people who request access to their personal data become completely inflexible as to the one month timescale and should make an immediate complaint to the information Commissioner the moment the one month timescale has expired. There will be a template for this in the library.

 

However, do be aware that once again the companies are given a certain flexibility and they can in certain circumstances extend the deadline by up to 2 months – so three months and all – but they are required to give you notice and to explain why they're doing this.

 

The standard reason would be that the requests they are receiving are "numerous". Of course this could mean that a company simply needs to provide a minimum SAR service so that it is easily overrun by requests and it can then apparently quite legitimately delay satisfying requests simply because they can't cope with the number coming in.

Our view is that this would be abusive and unfortunately experience has been so far there where you provide these companies with any kind of discretion in order to be reasonable with them, they exploit this as a weakness/loophole to the detriment of their customers.

 

Examples include

 

• SAR - maximum timescale:- 40 days. In practice:- always 40 days or more
  
• FOS final response max timescale:- 8 weeks. In practice - almost always at least 8 weeks
  
• OFT late payment charge - maximum £12.00. In practice:- always £12.00
  

 

We suggest that in addition to asking for help on an ordinary forum thread, that you report any funny business on this thread as well.

[steveod]

One of the requirements under the GDPR is that companies ensure they have adequate resources to ensure compliance. Companies which process personal data on a large scale will need to ensure they can meet the 30 days response to SAR except on the rare occasions or where data subject is abusing the system. I won’t be bothering when the ICO as they probably will still have no intention of looking after consumer taking their track record into account and their pathetic replies to my FOI requests. Straight to small claims after 25th May if certain companies that process my data unlawfully such as not reply’ing to SARs correctly.

[BankFodder]

I think you are absolutely right. I think that people should take a very hard line with the companies that hold their data and then failed to comply strictly with their statutory obligations.

 

This is not only because have your own personal data dealt with according to the rules, but also people should start to understand that when these companies hold your data, they use it not only to manage your account or whatever business you have with them, but they also process it in order to make other marketing decisions so that they can improve the profitability of their own companies – whether those marketing decisions are simply to offer you new products, or to decide on their general policy as to how they present themselves and sell themselves to their client public.

 

You supply them your personal data for free – expecting it merely to be used for the management of your business – but in fact it is used for far greater and more important reasons than that – even if it is used in an anonymised form.

 

I think people whose statutory data disclosure requests are not dealt with strictly according to law should waste no time in bringing a legal action.

 

One proviso, though, is that one should also make an immediate complaint to the ICO. You should also chase the ICO for a decision. You may eventually get a letter or an email from the ICO telling you that in their opinion such and such particular company is unlikely to have complied with their data protection obligations.

 

If you get this response from the ICO then you will be unlikely to have much difficulty when you bring your legal action.

[king12345]

Maybe a stupid question, but what would you claim for in county court for a breach of GDPR?

[AndyOrch]

Breach of Data Protection....GDPR expands the ability for claimants to bring compensation claims against companies in the event that there is an infringement of the regulations. The ability to seek compensation under the GDPR and the implications this may have for both businesses and individuals.

[BankFodder]

And at the very least, a symbolic judgement for breach of statutory duty which would then be forwarded to the FCA – if appropriate – and also to the Information Commissioner would be extremely damaging

[king12345]

What sum would you claim?

£1.

Based on current guidelines about adr and trying to resolve the matter without taking it to court, wouldn't companies just buy you out?

Even if you ask £500, surely it would be less damaging to them.

How would it work?

[BankFodder]

You are not obliged to accept an offer and to discontinue it is reasonable to continue.

 

In my view, if a firm is sued because of a breach of data protection rules, then this amounts to a breach of statutory duty. In such a case I would say that there is always an interest in continuing to judgement and I find it difficult to imagine that a judge would find it unreasonable.

 

The situation is completely different from a mere breach of contract or a breach of the duty of care et cetera.

 

If one is suing under BCOBS, MCOBS et cetera, GDPR/DPA, then if it is not possible to identify any serious loss, then a very modest symbolic figure is probably all that is necessary if all you want is a judgement.

 

I think you're quite right about the damaging effect of a judgement against them for some kind of breach of statutory duty. But the best thing to do is keep the claim modest and go for the principle.

 

You may be interested to know that about four years ago I was assisting somebody who brought a claim for £200 against NatWest because of the mishandling of their personal data file. The claim was brought under BCOBS – unfair treatment.

 

Once the papers are issued, the bank came back and offered the claim figure. The cagger refused. He was extremely angry and wanted to continue to court. The bank then offered about £1000. He refused. The offers then went up eventually to £7000. By this time I was pleading with him to accept the money – but he was extremely angry and said no. The last thing I saw was an email from the banks solicitors offering £7500 and inviting him to discuss it.

 

I never heard from the cagger again. I'm absolutely certain that he then went on and accepted the payment on conditions of confidentiality and in particular that he wouldn't come back to this forum. (The solicitors knew that he was posting here).

 

I certainly don't blame him if he did accept the money. I was astonished at how the offers increased. I can't say for sure that this is the BCOBS effect but it was pretty striking.

 

I've been trying since 2009 to get people to sue under BCOBS – and this cagger and another – - MadPriest - have done it. MadPriest sued Santander under BCOBS. I can't remember how much for but I know that eventually cost them over £6000.

 

BCOBS effect?

[king12345]

Great to know, thanks!

[jon8214]

How could you complain about a company that doesn't update their privacy policy in line with the GDPR?

 

ie their website still shows that it will cost £10 for a SAR

 

I know it doesn't come into effect until tomorrow but quite few companies that I intend to send SAR's to still have their old privacy policies in place

[BankFodder]

I think the best thing to do is to contact them directly and point out the problem. If they fail to respond then come back here.

[AndyOrch]

How could you complain about a company that doesn't update their privacy policy in line with the GDPR?

 

ie their website still shows that it will cost £10 for a SAR

 

I know it doesn't come into effect until tomorrow but quite few companies that I intend to send SAR's to still have their old privacy policies in place

 

Its irrelevant anyway as the new legislation supersedes... they must comply

[jon8214]

Opus are quick, they updated their privacy policy on 23rd with an email address and I sent in a SAR, I’ve just received it by special delivery this morning

[MrSmithers]

Would the new template be suitable for medical record requests? Additionally would i only need to send one request now rather then to my doctors AND my hospital? if so which?

 

Thanks.

[Old Cogger]

BMA - GPs as data controllers under the GDPR

https://www.bma.org.uk › ... › Ethics › Confidentiality and health records

4 May 2018 - The General Data Protection Regulation (GDPR) is an EU Regulation which will be directly applicable in the UK on 25 May 2018. It should be read alongside the forthcoming UK Data Protection Act 2018 (DPA 2018). The GDPR and the DPA 2018 will replace the existing Data Protection Act 1998.

[andy023]

i have an estate agent who refused to give data for over 8 months when they sent the data it was all mixed up how would you sue this company thanks in advance

[BankFodder]

Please start a new thread for this question. This thread is really a discussion thread. Thanks

[Calista969]

If ICO was on the side of the consumer they should have ensured that all companies provide a named individual as their DPO - it is a disgrace that most companies avoid providing full staff names unless you are threatening legal acton. This is a one way system and never been happy with the DPA time limits and the fact that after you file your SAR, ICO gives the company another 2 weeks to deal with the issue before any action is launched if any (travesty, hypocrisy and bias on the part of the regulator). They may act 'within the law' but the law does not go far enough. Also only the financial reg (FSO) and ICO have specific time limits for responses to complaints (any other consumer complaints seem to go in the companies' spam folder - how convenient). Also I am against the so called journalistic privilege where journalists and TV channels (the BBC is a big culprit) refuse to answer questions as exceptions apply (unless you go to court). There should not be a blanket approach to journalistic privilege...