You’re probably aware of ‘consumer rights’: they are the rules organisations need to follow to stop customers from being exploited.
The specifics vary between laws, but they almost always include the rights to remain safe, informed and to lodge complaints.
Though essential, these rights don’t reflect the way consumer culture has evolved in recent years. Goods and services are now often exchanged for individuals’ personal data, so similar rules are needed for the way that information is processed.
That’s where the GDPR (General Data Protection Regulation) comes in. A lot has been written about the Regulation’s extensive requirements and the potential for massive fines for data breaches, but it’s all to create an environment in which individuals can share their information without having to worry about how secure it is.
Data subjects’ rights
The GDPR provides individuals with eight rights:
1. The right to be informed
Organisations need to tell individuals what data is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties.
This information must be communicated concisely and in plain language.
2. The right to access
Individuals can submit subject access requests, which oblige organisations to provide a copy of any personal data concerning the individual.
Organisations have one month to produce this information, although there are exceptions for requests that are manifestly unfounded, repetitive or excessive.
3. The right to rectification
If the individual discovers that the information an organisation holds on them is inaccurate or incomplete, they can request that it be updated. As with the right to access, organisations have one month to do this, and the same exceptions apply.
4. The right to erasure (also known as ‘the right to be forgotten’)
Individuals can request that organisations erase their data in certain circumstances, such as when the data is no longer necessary, the data was unlawfully processed or it no longer meets the lawful ground for which it was collected. This includes instances where the individual withdraws consent.
5. The right to restrict processing
Individuals can request that organisations limit the way an organisation uses personal data.
It’s an alternative to requesting the erasure of data, and might be used when the individual contests the accuracy of their personal data or when the individual no longer needs the information but the organisation requires it to establish, exercise or defend a legal claim.
6. The right to data portability
Individuals are permitted to obtain and reuse their personal data for their own purposes across different services. This right only applies to personal data that an individual has provided to data controllers by way of a contract or consent.
7. The right to object
Individuals can object to the processing of personal data that is collected on the grounds of legitimate interests or the performance of a task in the interest/exercise of official authority.
Organisations must stop processing information unless they can demonstrate compelling legitimate grounds for the processing that overrides the interests, rights and freedoms of the individual or if the processing is for the establishment or exercise of defence of legal claims.
8. Rights related to automated decision making including profiling
The GDPR includes provisions for decisions made with no human involvement, such as profiling, which uses personal data to make calculated assumptions about individuals.
There are strict rules about this kind of processing, and individuals are permitted to challenge and request a review of the processing if they believe the rules aren’t being followed.
Is your organisation GDPR-compliant?
The rules we’ve listed here existed in previous data protection laws, so they shouldn’t have come as a shock to anyone trying to get their head around GDPR compliance.
However, because the requirements – and the penalties for non-compliance – have been strengthened, it’s more important than ever to make sure you have the necessary processes in place.
Our GPDR Toolkit helps you create the necessary documents to ensure that consumers’ rights are met and that your overall compliance practices are sufficient.
Designed and developed by GDPR experts, the toolkit is ideal for anyone who wants help completing their documentation requirements quickly and easily.
But it’s more than simply a set of templates. It also includes:
- Gap analysis and DPIA tools that help you identify compliance weaknesses and how to address them;
- Two licences for the GDPR Staff Awareness E-learning Course; and
- Guidance documents covering data subject consent forms, data retention records, and pseudonymisation, minimisation and encryption.
A version of this blog was originally published on 11 April 2018.