GDPR provides 8 main rights for individuals and strengthens those that already exist under the current Data Protection Act. Below are the 8 main rights and a brief explanation of each one to give you a better understanding in preparation for GDPR when it comes into force on 25 May 2018.
Each title is linked to the relevant page on ICO’s main website where you can find more in-depth detail if you want to explore one or more of the rights further.
The right to be informed states how the information you supply about the processing of personal data must be, typically in a privacy notice:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.
The information you supply is determined by whether or not you obtained the personal data directly from individuals. For more detail and what information you must supply to individuals at what stage, click here.
Under the right of access, you must be able to provide processing confirmation and access to an individual's data free of charge and provide it in a commonly used format - an electronic format if the request is made electronically. Ensure careful planning of this if dealing with multiple systems so you can achieve high efficiency to counter the fact that the information must now be accessed free of charge.
Individuals are entitled to have their personal data rectified if inaccurate or incomplete and you must respond to a rectification request within one month if not deemed complex. You must inform related third parties where possible if the personal data is disclosed to them also.
‘The right to be forgotten’, or right to erasure means you must have procedures in place for removing or deleting personal data easily and securely where there is no compelling reason for possession and continued processing. Specific circumstances stated by the ICO include:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- When the individual withdraws consent.
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
- The personal data was unlawfully processed (ie otherwise in breach of the GDPR).
- The personal data has to be erased in order to comply with a legal obligation.
- The personal data is processed in relation to the offer of information society services to a child.
Especially for marketing, this right is a main reason why having the appropriate tools and record keeping in place is so important to know why someone’s data is being processed and what it relates to, and if someone has removed their consent to receiving marketing materials and having their data processed. Many investigations will likely arise through people being disgruntled when they have withdrawn their consent from marketing materials, or not given their consent initially for marketing materials, but are still being processed and receiving electronic marketing such as emails for example.
Individuals have the right to ‘block’ or restrict processing of personal data, in the following circumstances outlined by the ICO:
- “Where an individual contests the accuracy of the personal data, you should restrict the processing until you have verified the accuracy of the personal data.”
- “Where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and you are considering whether your organisation’s legitimate grounds override those of the individual.”
- “When processing is unlawful and the individual opposes erasure and requests restriction instead.”
- “If you no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim.”
You must inform any third parties that are also involved with the data about the restriction, and inform individuals when you remove a restriction on processing.
The right to data portability allows individuals to obtain and reuse their personal data across different services for their own purposes. The right only applies:
- to personal data an individual has provided to a controller;
- where the processing is based on the individual’s consent or for the performance of a contract; and
- when processing is automated.
The right allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting usability. Therefore if a client on your site cannot quickly download their account transactions for example, this will need to be amended.
Personal data must be provided in a structured, commonly used and machine readable format (like CSV files) so other organisations can use it, and must be provided free of charge.
The right to object means individuals have the right to object to direct marketing (including profiling), processing based on legitimate interest, and purposes of scientific/historical research and statistics, in which case you must stop processing personal data immediately and at any time, with no exemptions or grounds to refuse, free of charge.
Ensure you are informing individuals of their right to object in your privacy notice and “at the point of first communication”. If you process personal data for research purposes, or for the performance of a legal task or your organisation’s legitimate interests, see further details here. If your processing activity is one of the above and carried out online you must offer the option to object online, e.g. through your website.
If any of your processing operations constitute automated decision making including profiling (such as insurance firms), individuals have the right not to be subject to a decision and must be able to obtain human intervention, express their point of view, and obtain an explanation of the decision and challenge it. The right does not apply if the automated decision is a contractual necessity between you and the person, if it’s authorised by law, or if based on explicit consent. Find further details here.
For more crucial insights into GDPR and preparing for 25th May 2018, read another from SOZO’s Blog:
Disclaimer: The information in this article is for your general guidance only and is not and shall not constitute legal advice. If you need advice on your rights or responsibilities or any legal advice around data protection matters, please obtain specific legal advice and contact an adviser or solicitor, or consult the Information Commissioner’s Office (ICO - https://ico.org.uk/)