GDPR: Your 8 Rights as Individuals
General Data Protection Regulation (GDPR) provides 8 main rights for individuals and strengthens those that already exist under the previous titled Data Protection Act. Below are the 8 main rights for individuals and a brief explanation of each to give you a better understanding of them.
1. The right to be informed
The right to be informed states how the information you supply about the processing of personal data must be, typically in a privacy notice:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.
The information you supply is determined by whether or not you obtained the personal data directly from individuals. For more detail and what information you must supply to individuals at what stage, click here.
2. The right of access
Under the right of access, you must be able to provide processing confirmation and access to an individual’s data free of charge and provide it in a commonly used format – an electronic format if the request is made electronically. Ensure careful planning of this if dealing with multiple systems so you can achieve high efficiency to counter the fact that the information must now be accessed free of charge.
3. The right to rectification
Individuals are entitled to have their personal data rectified if inaccurate or incomplete and you must respond to a rectification request within one month if not deemed complex. You must inform related third parties where possible if the personal data is disclosed to them also.
4. The right to erasure
‘The right to be forgotten’, or right to erasure means you must have procedures in place for removing or deleting personal data easily and securely where there is no compelling reason for possession and continued processing.
5. The right to restrict processing
Individuals have the right to ‘block’ or restrict processing of personal data, in the following circumstances outlined by the ICO:
- “Where an individual contests the accuracy of the personal data, you should restrict the processing until you have verified the accuracy of the personal data.”
- “Where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and you are considering whether your organisation’s legitimate grounds override those of the individual.”
- “When processing is unlawful and the individual opposes erasure and requests restriction instead.”
- “If you no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim.”
You must inform any third parties that are also involved with the data about the restriction, and inform individuals when you remove a restriction on processing.
6. The right to data portability
The right to data portability allows individuals to obtain and reuse their personal data across different services for their own purposes. The right only applies:
- to personal data an individual has provided to a controller;
- where the processing is based on the individual’s consent or contract; and
- when processing is automated.
The right allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting usability. Therefore if a client on your site cannot quickly download their account transactions for example, this will need to be amended.
7. The right to object
The right to object means individuals have the right to object to direct marketing (including profiling), processing based on legitimate interest, and purposes of scientific/historical research and statistics, in which case you must stop processing personal data immediately and at any time, with no exemptions or grounds to refuse, free of charge.
Ensure you are informing individuals of their right to object in your privacy notice and “at the point of first communication”. If you process personal data for research purposes, or for the performance of a legal task or your organisation’s legitimate interests, see further details here. If your processing activity is one of the above and carried out online you must offer the option to object online, e.g. through your website.
8. Automated decision making and profiling rights
If any of your processing operations constitute automated decision making including profiling (such as insurance firms), individuals have the right not to be subject to a decision and must be able to obtain human intervention, express their point of view, and obtain an explanation of the decision and challenge it. The right does not apply if the automated decision is a contractual necessity between you and the person, if it’s authorised by law, or if based on explicit consent. Find further details here.
Sage 200 News
Sage 200cloud Winter 2018 Enhancements is due for release in February 2019. Sage 200cloud will introduce a number of connected services through regular releases.read more
To support its continued expansion, Nomow is now set to install Realitex200 for Artificial Grass from leading Sage Business Partner, Wharncliffe Business Systems Ltd.read more
Sage CRM News
What’s new? Full details of the fixes and enhancements can be found in the release notes available from the Help Centre, they include:Calendar – create quick appointments for other users, view calendar items as a list. Quickfind – search by postal address, email...read more