With GDPR fast approaching there is still a lot of confusion around what is covered by the regulation. In particular, the GDPR individual rights that are included and that must be adhered to by all companies that carry EU personal data following May 25th 2018.
First let’s look at what GDPR applies to:
• GDPR applies to ‘personal data’ of ‘natural living’ people
• GDPR applies to ‘controllers’ and ‘processors’
• GDPR applies to both automated personal data and to manual filing systems
• GDPR refers to sensitive personal data as “special categories of personal data”
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). This includes any information that means a person can be identified, directly or indirectly. This could be one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. ‘Processing’ means any operation performed on personal data including storage, retrieval, erasure or destruction. ‘Profiling’ means any form of automated processing of personal data to analyse or predict performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Broken down into more detail, the GDPR stipulates specific individual rights that any person, that you store data for, can request. There are 8 individual rights:
The Right to be Informed
As a business you are required to provide ‘fair processing information’ about an individuals person data. This will generally be covered under your privacy policy. You will need to be very transparent on how you intend to use the personal data that you collect and store.
The Right of Access
An individual has the right to access the personal data you store and any supplementary data. This allows the individual to be aware of what data is being held and verify the lawfulness of the processing. This data must be provided free of charge and without delay, at the latest within one month of the request.
The Right to Rectification
Individuals can request to have an inaccurate or incomplete data rectified. It is your business responsibility to inform any third parties you have disclosed the information to of these amends. You must respond to the request with one month.
The Right to Erasure
Also known as the ‘right to be forgotten’. The general principle here is that the individual may request the deletion or removal of their personal data where there is no compelling reason for its continued processing. Whilst not an absolute right, its applies where the personal data is no longer necessary in relation to the original purpose, the individual withdraws consent, the individual objects to the processing, the data is unlawfully processed, it is a legal obligation, or the data processed is in relation to the offer of information society services to a child. You must also inform any third parties you have disclosed the personal data to.
The Right to Restrict Processing
Individuals have the right to block or suppress the processing of their personal data. Your business may continue to store the personal data, however, you may not process it any further. The personal data that is stored should be reviewed and only the information required to ensure that the restriction is respected in future may be retained. Again, you must notify any third parties that you have disclosed data to.
The Right to Data Portability
Individuals have the right to obtain and reuse their personal data for the own purposes across different services. Your business must supply their personal data in a structured, commonly used and machine-readable form which will allow other organisations to use the data. You must respond to this request without delay and within one month.
The Right to Object
Individuals have the right to object to processing of their personal data based on legitimate interests or the performance of a task in the public interest of official authority, direct marketing, and processing for purposes of scientific/historical research and statistics. Your business must inform individuals of their right to object at the point of first communication and it should be included within your privacy policy.
Rights in Relation to Automated Decision Making and Profiling
Individuals have the right not to be subject to a decision when it is based on automated processing and it produces a legal effect or similarly significant effect on the individual. The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. When your business is processing any personal data for profiling, you must ensure that appropriate safeguards have been put in place.
The GDPR is a complex set of regulations and the information above is provided purely as guidance on what rights individuals will have following its introduction in May. If you would like more information about how the GDPR will affect your business or to find out how we can help with GDPR compliance get in touch with us now on 0208 269 6878 or visit www.qlicit.com/contact.
