Privacy Rights of Individuals under GDPR

GDPR is all about the evolution of the existing data protection laws, it is about enhancing the rights of the individual at a time when more business is being done online, which for the individual means we are giving access to our personal data to many more companies.

For businesses and organisations who are fully compliant with the existing data protection laws, the transition should be reasonably straight forward, however to those organisations who have a more half-hearted attitude to data protection the transition could be difficult.

Under GDPR your policies and procedures need to cover ALL of the rights that individuals are now entitled to. This must include deletion, portability, corrections, the right to be forgotten and the right to object. You must also have a procedure in place to allow a Subject Access Request (SAR). Under GDPR any individual can ask to have access to their data, they can check it, port it, ask for it be deleted. You must be able to access this data easily and work within the 1 month time scale.

What are the rights of the individual under GDPR?

The Right to Be Informed

The information that is given to the individual with regards to the processing the information must be clear, concise and written in plain language that can be easily understood, especially relevant when you are aiming your words towards children. They must have a clear understanding of why you have a need to process their data.

The Right of Access

Individuals will have the right to gain confirmation that their data is being processed in a way that is fair and lawful, to be able to access their data, to obtain other supplementary information that should be provided in your privacy policy (Article 15)

When an individual presents you with a Subject Access Request (SAR) you have to comply within 1 month, if the request is complicated you may be able to apply for more time to complete the request. You cannot charge the individual for accessing their data; only in extreme circumstances can an administrative charge be made.

Organisations need to have clear policies in place to have grounds for refusal to an SAR and demonstrate that the request meets these criteria.

You need to think about the impact that receiving a large number of SARs could have on your organisation; these are processes that need to be factored into future plans.

Could allowing data subjects to have online access to their own data be a consideration? Could this save your organisation time and money, whilst at the same time building your reputation by offering transparency and thus gaining trust of the individual?

The Right to have their Details Corrected and Amended

It’s simple, if the information you hold on an individual is wrong it must be corrected, if you have given that data to a 3rd party you must also ensure that it is corrected with them, you must also inform the individual who you have given their incorrect data to. Under GDPR you are accountable for the data that you hold.

Once again the time frame for compliance with this request is 1 month, only in exceptional circumstances can the deadline be moved, so make sure that data entry is performed exactly.

The Right to Port their Data

Data portability allows your customers to obtain and use their data for their own purposes, it allows them to move copy or transfer their data in a safe and secure way in a structured and readable format.

Data Portability applies

  • When the personal data an individual requests has been provided by them to the controller
  • Where the processing is based on the individuals consent or for the term of the contract
  • When the processing is carried out by automated means

The Right to be Forgotten

Under GDPR an individual can request to have their data erased. It is also known as ‘right to be forgotten’. An individual can request to be erased when they cease to be a customer or where there is ‘no compelling reason’ for the continued processing of their data.

There are however exceptions to this where a company does not have to comply:

  • If the data has to be kept for legal reasons
  • If the data is being processed for the freedom of expression
  • If the information is for public health purposes
  • For those involved with children’s data, please note there are extra requirements that you have to take into consideration.

Right to Restrict the Processing of their Data

You must inform individuals that they have a right to object to your organisation processing their data; it must be ‘at the point of first communication’ and in your privacy notice.

It must be clearly presented and separate from other information i.e. you cannot hide it in the small print.

When an individual objects you must stop processing their data e.g. if they object to you processing it for the purposes of direct marketing, and as before any 3rd parties that have the data must be notified. There are however exceptions to this and these should be noted for each individual business.

Rights Related to Automated Decision Making and Processing

The GDPR provides protection for individuals when their data is processed automatically, in the case where a potentially damaging decision is made without the intervention of a human.

Do you have processing procedures in place that could be determined as automatic processing? If so do these procedures comply with GDPR.

As an organisation you need to know that you can deal all of the above requests, you must have documented processes and procedures in place.

Questions to think about:

  • How would your organisation react if you received a request from a data subject wishing to exercise their rights under GDPR?
  • Do you know how long it would take you to locate the data, where and how is it stored?
  • Do you know who to ask to delete a record from the database, is there someone who is authorised to deal with this?
  • If a data subject asks to port their data, are you able to supply them with their data in a commonly used format?

These are all questions that need to be answered on your journey to compliance.