For the most part, individuals’ data protection rights will be the same as they are under the current Data Protection Act but with significant enhancements. The GDPR will also introduce new rights. There will be the ‘right to erasure’; individuals can have their data deleted upon request. The GDPR will also introduce the ‘right to data portability’ which allows data subjects to access and move their personal data from one IT environment to another. Organisations will need to put policies and procedures in place to accommodate these new developments.
At the moment individuals have the right to restrict or block the processing of personal data when the information is only needed for specific legal purposes, inaccurate, or when they have objected to data processing and this claim is currently being investigated by the data controller. Individuals also have the right to:
The data subject can object to the processing of their personal data when it’s being used for the purpose of direct marketing.Access. When requested, the data controller must provide a copy of personal data without excessive delay and for a fee.
The data subject can exercise these rights if the data is incomplete, inaccurate or not being processed in compliance with the Data Protection Act.
This is when processing an individual’s data results in a decision which significantly affects them in some way.
This means that an organisation’s privacy policy must detail the identity of the data controller, the purposes for processing the personal data and any information necessary to enable processing to be fair in the organisation’s specific circumstances.
Access to personal data must now be provided free of charge and within one month of request. Data controllers will also be required to provide additional information to individuals such as the retention period of the data. Organisations will need to put systems in place to cope with these requests.
Requests for rectification of data must be responded to within one month but can be extended to two months if the issue is complex.
Individuals can request data erasure simply by withdrawing their consent – there are certain exceptions such as when the data is being held for public health purposes or public interest.
An individual’s right to fair and transparent processing has been strengthened. The GDPR requires that privacy information is communicated in clear, plain language – it is no longer enough to provide a long-winded privacy policy. The privacy policy must communicate the GDPR changes to individuals’ data protection rights.
Individuals will have the right to erasure when:
If the data controller has provided personal data to a third party then they must take reasonable steps to inform third party controllers that the data subject has requested erasure.
The GDPR introduced this right so that individuals are no longer locked in to a specific service provider. The data controller must store information in a commonly used format for easy transference to another IT environment.
1. Update your privacy policies to make sure that new and extended rights are incorporated and that they are communicated in accessible language.
2. Assess whether you need to establish new procedures to cope with the practical implications of the extended and new rights. For instance, how will you deal with access requests? How will you take stes to erase data that has been shared with third parties?
3. Plan how your staff, operational processes and IT systems will need to adapt to accommodate GDPR changes to individuals’ data protection rights.
4. Develop your employees’ awareness of the GDPR requirements, how to implement your GDPR action plan and how to plan your internal audit cycle.