Your individual rights have evolved under GDPR. But what impact will this have on your business?

As well as introducing  new rights, the General Data Protection Regulation (GDPR) will clarify and extend individuals’ rights as they stand currently under the Data Protection Act (DPA).

What will individual rights be under the GDPR? And what action will you need to take because of them?

The right to be informed

The right explained

The right to be informed emphasises the need for transparency over how businesses use personal data. It means that you must supply people with information about the data processing you carry out. This information is usually provided in privacy notices or statements that clearly state your company’s fair processing information.

What’s the impact?

  • You’ll need to produce a privacy statement.
  • You must write a free privacy statement in clear plain language.
  • The statement must be concise, transparent, intelligible and easily accessible.

The right of access

The right explained

The right of access gives people access to their data so they can be aware of, and verify, the lawfulness of processing.

What’s the impact?

  • You must supply people with confirmation you are processing their data.
  • People must also have access to their data and any other supplementary information.
  • Within one month of receiving it, you must comply with any subject access request. However, if the request is “manifestly unfounded or excessive”, you can charge a fee for producing the information or you can even refuse to comply.

The right to rectification

The right explained

If information is inaccurate or incomplete, individuals have the right to request you rectify it.

What’s the impact?

  • You have one month from the receipt of the request to make necessary correction to incorrect information. But, a two month deadline extension can be applied to more complex requests.
  • Also, if you have disclosed incorrect personal data to a third party, where possible, you must inform the third party of the rectification. If this is the case, you must also inform the individual about the third party you shared their data with.

The right to erasure

The right explained

Also known as the right to be forgotten, the right to erasure enables people to have personal data deleted or removed as long as there is no compelling reason to continue processing their data.

What’s the impact?

Individuals can specifically ask you to delete personal data where:

  • You no longer need the data for the reason you collected it.
  • The individual withdraws their consent to the data being processed and there are no legitimate reasons to continue processing.
  • The personal data was illegally processed and must be deleted to comply with the law.
  • The personal data is processed in relation to the offer of information society service to a child.

There are some situations where you can refuse to delete the data:

  • To exercise a right of freedom of expression and information.
  • To comply with a legal obligation or for the performance of a task of public interest.
  • For the exercise or defence of legal claims.
  • For purposes relating to public health, archiving in the public interest, scientific/historic research or statistics.

 The right to restrict processing

The right explained:

Individuals have the right to restrict the processing of personal data where:

  • They have challenged its accuracy.
  • They have objected to the processing of their data and you are considering whether you have a legitimate ground which overrides this.
  • Processing is unlawful.
  • You no longer need the data but the individual needs it to establish, exercise or defend a legal claim.

The right to data portability

The right explained:

Data portability enables individuals to move, copy or transfer their data from one IT environment to another in a safe and secure way.

This will allow consumers to take advantage of applications and services which can use this data to find them a better deal or help them to understand their spending habits.

However, this right only applies:

  • To personal data provided by an individual to a controller.
  • Where the processing is based on consent or the performance of a contract.
  • To automated processing.

What’s the impact?

  • When fulfilling a request you must provide the data in a structured, commonly used and machine readable form. Also, if the individual requests it, you may need to transmit the data directly to another organisation.
  • You must comply with any request in the space of one month and provide the information for free.
  • The deadline may be extended to two months if the request is complex and you received a number of requests at once.

The right to object

The right explained:

Individuals may object to:

  • Processing based on legitimate interests the performance of a task in the public interest or the exercise of official authority (including profiling).
  • Direct marketing (including profiling).
  • Processing for scientific / historic research or statistics.

The GDPR defines profiling as any form of automated processing designed to evaluate particular personal attributes of an individual, especially their:

  • Performance at work
  • Financial situation
  • Health
  • Personal preferences
  • Reliability
  • Behaviour
  • Location
  • Movements

What’s the impact?

  • You must inform individuals of their right to object as soon as possible ideally, at the point of first communication and in your privacy notice too.
  • In the case of direct marketing, as soon as you receive notice that someone objects, you must stop processing their personal data.
  • For research purposes, individuals must have “grounds relating to his or her particular situation” to object to the processing of their data. However, you are not required to comply with the objection if you are conducting research for a public interest task.

Rights related to automated decision making including profiling

The right explained:

The GDPR safeguards individuals against automated processes making potentially damaging decisions without human intervention. If automated decision making plays a role in your processing operations, you should consider updating them.

Individuals have the right not to be subject to a decision with a legal or, similarly significant effect on them, based off automated processing.

What’s the impact?

You must make sure that people can obtain human intervention, express their point of view and get an explanation of the decision and challenge it.

However, the right does not apply to all automated decision making.

Exceptions apply if the decision is:

  • Necessary for entering into or performing a contract between you and an individual.
  • Authorised by law.
  • Based on explicit consent.
  • Does not have a legal or similarly significant effect on the data subject.

The GDPR defines profiling as: any form of automated processing intended to evaluate specific personal aspects of a person. Especially, to analyse or predict their:

  • Performance at work
  • Economic situation
  • Health
  • Personal preferences
  • Reliability
  • Behavior
  • Location
  • Movements

When you are processing personal data for profiling you should ensure that the appropriate safeguards are in place. You should provide meaningful information about the logic involved to make sure the process is fair and transparent. You must secure the data in a way that is appropriate to the risk to the interests and rights of the individual and prevents discriminatory effects. And lastly, you should use appropriate mathematical or statistical procedures for the profiling.

Avoid making automated decisions based off of sensitive personal information, unless you have the explicit consent of the person in question, or have reasons of substantial public interest.

 

Need more answers to your burning GDPR questions? Want to know if your business is compliant? Mackman are offering GDPR health checks, book yours today.

Want to know more? Get in contact with Mackman at 01787 388038 or alternatively at customerservice@mackmangroup.co.uk