GDPR Rights - How organizations can comply!

This article is to summarize the 8 Rights under the GDPR and contains helpful ways for organizations to comply.

1. The right to be INFORMED

Articles 13 and 14 of the GDPR talk about this right. This means organizations must give individuals clear and easily understandable information on what you want to do with their data.

Organizations should proactively comply with this right to ensure compliance. An added advantage is that it fosters a level of trust with individuals, which will give the organization more access to their information.

Companies must provide in a clear, transparent and easily accessible manner the name and contact details of the organization, the Data Protection Officer, the purpose of data collection and processing, the legitimate interests for processing, retention periods and a number of others.

2. The right of ACCESS

People have the right of access their personal data, this is commonly referred to as ‘subject access’ They can make a subject access request from the organization concerned either verbally or in writing, and the organization has a month to respond. The organization is not allowed to charge a fee to the individual to deal with the request in the majority of cases.

The right of access gives individuals the legal right to a copy of their personal data and any other supplementary data. The main purpose is to help people understand why and how the company is using their data, and to ensure it’s being used lawfully. Individuals are not entitled to request access to information that relates to other people. Ensure careful planning of this if dealing with multiple systems so you can achieve high efficiency to counter the fact that the information must now be accessed free of charge.

3.. The right to RECTIFICATION

Under GDPR Article 16, individual data subjects have the right to rectify inaccurate personal data, or have it fully completed if the information is not complete. They can request rectification in writing or verbally and the organization has one month to respond to them.

There are certain circumstances that allow organization to refuse the individual’s request for rectification. As this right is connected with the obligations of the data controller under the GDPR accuracy principle, an organization which is a data controller must inform related third parties if the personal data of the individual has been disclosed to them as well.

4. The right to ERASURE

Perhaps one of the most debated rights, commonly known as ‘the right to be forgotten’. The right to erasure means individuals can request that their data is erased. The request can be made verbally or in writing and the company must respond within a month. This right only applies in certain circumstances and is not absolute. Few circumstances such as personal data belonging to a child, or a legal obligation to erase personal data may apply while enforcing this right.

5. The right to RESTRICT PROCESSING

Closely linked to GDPR Article 16 (i.e., the right to rectification) and GDPR Article 21 (i.e., the right to object), individuals have the right to ask for the restriction or suppression of their personal data.

Again, this is not absolute. It applies only in specific circumstances and means that companies can store the data but not use it. As with the other rights, individuals can write or verbally request restriction of their data, and the company must respond within a month.

Organizations must inform any third parties that are also involved with the data about the restriction.

6. The right to DATA PORTABILITY

The right to data portability allows individuals to obtain and reuse their personal data across different services for their own purposes. The right only applies:

a. to personal data an individual has provided to a controller

b. where the processing is based on the individual’s consent or for the performance of a contract; and

c. when processing is automated.

The right allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting usability. Personal data must be provided in a structured, commonly used and machine-readable format (like CSV files) so other organizations can use it and must be provided free of charge.

7. The right to OBJECT

Under this GDPR right, individuals have the absolute right to object to their personal data being used for marketing reasons. They have the right to object to how their data is being processed in other circumstances too, but it’s not absolute.

In these other cases, if the controller can prove a compelling reason for the data usage and processing, then they may be able to continue to do so. Organizations must actively inform individuals about their right to object.

8. Rights regarding AUTOMATED PROFILING and DECISION MAKING

The GDPR applies to all automated profiling and decision making. Automated individual decision-making means those only made by automation with no involvement from humans.

Profiling is also covered under this (means that automated processing of individual personal data to analyze the individual needs) Under GDPR Article 22, there are extra protections for individuals if the data controller or processor is using solely automated decision-making that has a significant effect on the individual.

The controller must also prove whether their processing comes under GDPR Article 22. If it does not, then the controller organization must:

a. Inform the individual about the processing.

b. Introduce and communicate easy ways for the individual to challenge an automated decision or ask for a human being to check it.

c. Check their systems regularly and often.