GDPR explained: What do the endless privacy policy emails mean for you?

Joe Sommerlad

If you're currently being inundated with emails from companies about updates to their privacy policies, this is why: a new General Data Protection Regulation (GDPR) law comes into effect on 25 May after being passed by the European Parliament in April 2016.

The legislation is intended to give the consumer greater control over the way in which companies collect and use their personal data, replacing old rules introduced in 1995 no longer fit for purpose given the subsequent growth of the digital economy. UK information commissioner Elizabeth Denham has suggested GDPR is a "step change" and a case of evolution rather than revolution.

Under the new regulations, which will apply even after Brexit after being enshrined in the UK's forthcoming Data Protection Bill, businesses will be required to actively secure permission before making use of customers' names, email addresses, phone numbers or web browsing habits (traced by a website's cookies).

Firms will now be obliged to report any data breaches or cyberattacks within 72 hours of their becoming aware of it.

Your inbox is no doubt currently being flooded with emails from companies you have previously bought something from online, sites you have registered with or those you agreed to receive promotional material from, having been added to their mailing lists when you did so.

Consent given prior to the introduction of GDPR regarding a company's right to retain and "process" your data is no longer sufficient without proof that you opted in, hence their approaching you now to ensure your approval.

In return, you will be able to request a copy of all the data a business holds on you within 30 days and even ask for it to be deleted under "right to be forgotten" laws, a potential admin headache for small enterprises but a win for online privacy advocates. Presently, businesses charge £10 to process a Subject Access Request, a fee that will now be scrapped.

GDPR will even apply to sole traders such as handymen and a failure to comply will result in fines decided by the UK Information Commissioner's Office (ICO).

Minor offences could hypothetically result in fines of £8.8m or 2 per cent of a firm's turnover, more serious breaches up to £17.5m or 4 per cent of turnover. A huge increase on the current maximum penalty of £500,000. Ms Denham, however, insists the ICO prefers "the carrot to the stick" and lesser contraventions are unlikely to be penalised so heavily.

The ICO has prepared a 12-step guide for businesses to help them ensure they comply, which you can access here.

If you're really keen, you can read the full GDPR regulation here. All 88 pages and 99 articles of it.

The introduction is timely given the growing awareness of privacy concerns in light of the Cambridge Analytica scandal, in which the start-up harvested data from the Facebook profiles of 50 million Americans and passed it on to Republican political pollsters for use in the micro-targeting of swing voters during the 2016 US election.

Significant data breaches suffered by the likes of Yahoo! and LinkedIn over the last year have also underlined the need for greater corporate responsibility when it comes to individuals' private information.