The General Data Protection Regulation (GDPR) provides strong rights of an individual, whose personal data is being processed by organisations.
Rights of an individual:
The right to be informed
The right to be informed covers your responsibility to provide “fair processing information”, normally by way of a privacy notice. You need to be absolutely transparent in how you are going to use personal data.
The right of access
Under the GDPR, EU Residents will have the right to obtain:
- Confirmation that their personal data are being processed
- Access to a copy of their personal data
- Any other supplementary information
This is similar to subject access rights under previous legislation.
The right to rectification
Individuals are entitled to have their personal data corrected if it is inaccurate or incomplete. If you have divulged the personal data in question to third parties, you must inform them of the correction where possible. You must also inform the data subject about the third parties to whom the data has been divulged where appropriate.
The right to erasure
The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data whether there is no compelling reason for its continued processing.
Be aware that this is not an absolute right. It is very limited in scope. Your first thought should be that you will refuse such a request, unless it meets the scope. Consult the detailed guidance for more on this.
The right to restrict processing
Individuals have a right to ‘block’ or suppress processing of personal data. When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future.
The right to data portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
The right to object
Individuals have the right to object to:
- Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling).
- Direct marketing (including profiling).
- Processing for purposes of scientific/historical research and statistics.
Rights in relation to automated decision making and profiling
The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. Study your processing operations and see if any of them use automated decision making. If they do, then check your procedures around this decision making to ensure that they deal with the requirements of the GDPR.