Several areas within the GDPR1 concern rights of the individuals, most of which were included in the Data Protection Act (DPA2), which was based on an EU directive. The difference between EU directives and regulations is that “directives” set out goals for each member state to implement and adapt within their laws, whereas a “regulation” is a binding legislative act that is non-negotiable and is immediately applied to each member state.
These seven “Rights”, which we will examine more closely in this article, form a vital part of the new regulation.
The Right to be Informed – This can be summarised in what will become known as a “privacy notice”, which should contain all the relevant information for the individual to be able to decide on providing the necessary consent for data to be processed.
The Right of Access – Like the DPA, an individual will have the right to obtain confirmation that their data is being processed. An organisation must respond to a right of access request within one month. Unlike the DPA, no fee will be charged (unless excessive or repetitive requests are received).
The Right to Rectification and Right to Be Forgotten – An individual has the right to have their data amended or deleted if it is found to be inaccurate or incomplete. You will also have to inform any third parties that you have disclosed this data and notify the individual to whom you have disclosed it to (again within one month), so that corrections can be made.
The Right to Restrict Processing – Individuals have the right to block the processing of their information.
The Right to Object is where you will see the most activity and changes. This is separated into two areas, and there are two “must-dos” with both areas; they can object to direct marketing processing. Secondly, the right to Object can be based upon legitimate or public interest grounds. Organisations must offer a way to object online, and you must inform people of their right to object in a privacy notice.
The Right to Data Portability – An individual has the right to obtain and reuse their personal data for their own purposes.
The data minimisation principle requires organisations not to hold data for any longer than necessary and not to change the use of the data from the purpose for which it was initially collected. At the same time, organisations must delete any data at the request of the individuals3. This means organisations need to have the processes and technologies in place to delete data in response to requests from individuals at all times. More in-depth training and how we can help you are contained within our training courses.
1 General Data Protection Regulation – Coming 25th May 2018
2 Referring to the old UK Data Protection Act 1998
3 In specific circumstances