Your 8 Rights as Individuals
General Data Protection Regulation provides 8 main rights for individuals and strengthens those that already exist under the previous Data Protection Act. Below are the 8 main rights for individuals and a brief explanation to give you a better understanding of them.
1. The right to be informed
The right to be informed states how the information you supply about the processing of personal data must be, typically in a privacy notice:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.
The information you supply is determined by whether or not you obtained the personal data directly from individuals. For more detail and what information you must supply to individuals at what stage, click here.
2. Right of access
Under the right of access, you must be able to provide processing confirmation and access to an individual’s data free of charge and provide it in a commonly used format – an electronic format if the request is made electronically. Ensure careful planning of this if dealing with multiple systems so you can achieve high efficiency to counter the fact that the information must now be accessed free of charge.
3. Right of rectification
Individuals are entitled to have their personal data rectified if inaccurate or incomplete and you must respond to a rectification request within one month if not deemed complex. You must inform related third parties where possible if the personal data is disclosed to them also.
4. Right to erasure
‘The right to be forgotten’, or right to erasure means you must have procedures in place for removing or deleting personal data easily and securely where there is no compelling reason for possession and continued processing.
5. Right to restrict processing
Individuals have the right to ‘block’ or restrict processing of personal data, in the following circumstances outlined by the ICO:
- “Where an individual contests the accuracy of the personal data, you should restrict the processing until you have verified the accuracy of the personal data.”
- “Where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and you are considering whether your organisation’s legitimate grounds override those of the individual.”
- “When processing is unlawful and the individual opposes erasure and requests restriction instead.”
- “If you no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim.”
You must inform any third parties that are also involved with the data about the restriction, and inform individuals when you remove a restriction on processing.
6. The right to data portability
The right to data portability allows individuals to obtain and reuse their personal data across different services for their own purposes. The right only applies:
- to personal data an individual has provided to a controller;
- where the processing is based on the individual’s consent or contract; and
- when processing is automated.
The right allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting usability. Therefore if a client on your site cannot quickly download their account transactions for example, this will need to be amended.
7. The right object
The right to object means individuals have the right to object to direct marketing (including profiling), processing based on legitimate interest, and purposes of scientific/historical research and statistics, in which case you must stop processing personal data immediately and at any time, with no exemptions or grounds to refuse, free of charge.
Ensure you are informing individuals of their right to object in your privacy notice and “at the point of first communication”. If you process personal data for research purposes, or for the performance of a legal task or your organisation’s legitimate interests, see further details here. If your processing activity is one of the above and carried out online you must offer the option to object online, e.g. through your website.
8. Automated decision making & profiling
If any of your processing operations constitute automated decision making including profiling (such as insurance firms), individuals have the right not to be subject to a decision and must be able to obtain human intervention, express their point of view, and obtain an explanation of the decision and challenge it. The right does not apply if the automated decision is a contractual necessity between you and the person, if it’s authorised by law, or if based on explicit consent. Find further details here.