Privacy Rights of Individuals under GDPR
GDPR is all about the evolution of the existing data protection laws, it is about enhancing the rights of the individual at a time when more business is being done online, which for the individual means we are giving access to our personal data to many more companies.
For businesses and organisations who are fully compliant with the existing data protection laws, the transition should be reasonably straight forward, however to those organisations who have a more half-hearted attitude to data protection the transition could be difficult.
Under GDPR your policies and procedures need to cover ALL of the rights that individuals are now entitled to. This must include deletion, portability, corrections, the right to be forgotten and the right to object. You must also have a procedure in place to allow a Subject Access Request (SAR). Under GDPR any individual can ask to have access to their data, they can check it, port it, ask for it be deleted. You must be able to access this data easily and work within the 1 month time scale.
What are the rights of the individual under GDPR?
The Right to Be Informed
The information that is given to the individual with regards to the processing the information must be clear, concise and written in plain language that can be easily understood, especially relevant when you are aiming your words towards children. They must have a clear understanding of why you have a need to process their data.
The Right of Access
When an individual presents you with a Subject Access Request (SAR) you have to comply within 1 month, if the request is complicated you may be able to apply for more time to complete the request. You cannot charge the individual for accessing their data; only in extreme circumstances can an administrative charge be made.
Organisations need to have clear policies in place to have grounds for refusal to an SAR and demonstrate that the request meets these criteria.
You need to think about the impact that receiving a large number of SARs could have on your organisation; these are processes that need to be factored into future plans.
Could allowing data subjects to have online access to their own data be a consideration? Could this save your organisation time and money, whilst at the same time building your reputation by offering transparency and thus gaining trust of the individual?
The Right to have their Details Corrected and Amended
It’s simple, if the information you hold on an individual is wrong it must be corrected, if you have given that data to a 3rd party you must also ensure that it is corrected with them, you must also inform the individual who you have given their incorrect data to. Under GDPR you are accountable for the data that you hold.
Once again the time frame for compliance with this request is 1 month, only in exceptional circumstances can the deadline be moved, so make sure that data entry is performed exactly.
The Right to Port their Data
Data portability allows your customers to obtain and use their data for their own purposes, it allows them to move copy or transfer their data in a safe and secure way in a structured and readable format.
Data Portability applies
- When the personal data an individual requests has been provided by them to the controller
- Where the processing is based on the individuals consent or for the term of the contract
- When the processing is carried out by automated means
The Right to be Forgotten
Under GDPR an individual can request to have their data erased. It is also known as ‘right to be forgotten’. An individual can request to be erased when they cease to be a customer or where there is ‘no compelling reason’ for the continued processing of their data.
There are however exceptions to this where a company does not have to comply:
- If the data has to be kept for legal reasons
- If the data is being processed for the freedom of expression
- If the information is for public health purposes
- For those involved with children’s data, please note there are extra requirements that you have to take into consideration.
Right to Restrict the Processing of their Data
You must inform individuals that they have a right to object to your organisation processing their data; it must be ‘at the point of first communication’ and in your privacy notice.
It must be clearly presented and separate from other information i.e. you cannot hide it in the small print.
When an individual objects you must stop processing their data e.g. if they object to you processing it for the purposes of direct marketing, and as before any 3rd parties that have the data must be notified. There are however exceptions to this and these should be noted for each individual business.
Rights Related to Automated Decision Making and Processing
The GDPR provides protection for individuals when their data is processed automatically, in the case where a potentially damaging decision is made without the intervention of a human.
Do you have processing procedures in place that could be determined as automatic processing? If so do these procedures comply with GDPR.
As an organisation you need to know that you can deal all of the above requests, you must have documented processes and procedures in place.
Questions to think about:
- How would your organisation react if you received a request from a data subject wishing to exercise their rights under GDPR?
- Do you know how long it would take you to locate the data, where and how is it stored?
- Do you know who to ask to delete a record from the database, is there someone who is authorised to deal with this?
- If a data subject asks to port their data, are you able to supply them with their data in a commonly used format?
These are all questions that need to be answered on your journey to compliance.
- Privacy policies for Children
- Safe Harbor Certification
- The Importance of Safe Harbor Certification
- Privacy Breach
- NHS care.data delayed - updated
- CASL - Canadian Anti Spam Legislation
- Changes to Safe Harbor certification
- Facebook Instant Personalization
- Safe Harbor vs Binding Corporate Rules
- Safe Harbor 2.0
- GDPR - General Data Protection Regulation
- Difference between GDPR and ePrivacy regulation
- What are Standard Contractual Clauses?
- Privacy Shield Vs Standard Contractual Clauses
- Data Protection for the Social Housing Sector
- Does Working from Home Affect Data Protection?
- How Can I demonstrate that My Organisation is GDPR Compliant?
- To BREXIT and Beyond!
- GDPR - The Data Audit
- Preparing for GDPR
- Marketing and GDPR
- GDPR & International Organisations
- Processing Data Belonging to Children
- The Data Breach
- The Data Protection Officer
- DPIA - Data Protection Impact Assessment
- The Legal Basis for Processing
- GDPR is not just about DATA . . . its about PEOPLE and REPUTATION
- Privacy Rights of Individuals under GDPR