Indivduals Rights under the GDPR and Data Protection Action

The data protection act and the GDPR defines eight rights for Individuals.

Read on!
Picture of Books, a reference to Data Protection Act law

Individuals Rights

Under GDPR, an individual, also known as a Data Subject has eight principle rights which are:

  1. Right to be Informed
  2. Right to Access
  3. Right to Rectification
  4. Right of Erasure
  5. Right to Restrict Processing
  6. Right to Data Portability
  7. Right to Object
  8. Rights related to Automated decisions

Our Erudite GDPR Solution provides a self-service page for Subject Access Requests or Help Desk based portal for your staff to take requests and record them.

Right to be Informed

Individuals have the right to be informed about the collection and use of their personal data.

  • Known as privacy information, you must tell people at the time of collection:
    • Why your collect and process their data (purpose and legal basis)
    • How long you keep it for
    • Who you will share it with
  • You must provide privacy information to individuals at the time you collect their personal data from them
  • You must regularly review, and where necessary, update your privacy information
  • If you want to use their data in a new you must inform them before you start the processing

Our Erudite GDPR Solution enables you to document purpose, legal basis, data retention and more.

Right to Access

Commonly known as the Subject Access Request (SAR), individuals have the right to obtain their personal data from you

Remember these facts:

  • A subject access request can be verbally or in writing
  • You must log the request
  • You have one calendar month to respond
  • In most circumstances, you cannot charge a fee to deal with a request
  • The response must be in clear and plain language with acronyms and shorthand explained
  • The method for ensuring a retention schedule is adhered to
  • The means used to retrieve personal data about certain individuals.
  • The means used to delete or dispose of the data

A subject access request requires you to provide positive confirmation of processing plus:

  • A copy of their personal data along with the purpose
  • Details of who you’ve disclosed their personal data to
  • Your retention period for storing the personal data
  • The existence of their right to request rectification, erasure or restriction or to object to such processing
  • The right to lodge a complaint with the ICO or another supervisory authority
  • Information about the source of the data, where it was not obtained directly from the individual
  • The existence of automated decision-making (including profiling); and
  • The safeguards you provide if you transfer personal data.

Our Erudite GDPR Solution enables Data Subjects to Raise their own Right of Access Request on our portal or they can be stored via our Portal by your team.

Right of Rectification

The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. The right of rectification gives individuals the power to ensure you represent them correctly and more importantly ensure a fair outcome when that data is used in a decision making process such as loan application or job application etc.

Data is considered inaccurate if its incorrect or misleading in any way.

Summary

  • A subject access request can be verbally or in writing
  • You must log the request
  • You have one calendar month to respond
  • While you are verifying the data is accurate, you should restrict processing of data

Right of Erasure

Right of Erasure is commonly known as the Right to be Forgotten.

The right to erasure applies if:

  • The personal data is no longer needed for the purpose which you originally collected it for
  • you are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent
  • You are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing
  • You are processing the personal data for direct marketing purposes and the individual objects to that processing
  • You have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle);
  • You have to do it to comply with a legal obligation; or
  • You have processed the personal data to offer information society services to a child

The right to erasure does not apply when processing for the following reasons

  • to exercise the right of freedom of expression and information
  • to comply with a legal obligation
  • for the performance of a task carried out in the public interest or in the exercise of official authority
  • For archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
  • for the establishment, exercise or defence of legal claims

Summary

  • A subject access request can be verbally or in writing
  • You must log the request
  • You have one calendar month to respond
  • This right only applies in certain circumstances
  • If you have shared the data, you must contact those parties and inform them of the request

Our Erudite GDPR Solution supports the Logging of Erasure requests and providers reminders to keep you on track.

Right to Restrict Processing

Individuals have the right to request the restriction or suppression of their personal data. An individual can limit the way that an organisation uses their data and when processing is restricted, you can store the personal data, but not use it.

The GDPR suggests a number of different methods that could be used to restrict data, such as: temporarily moving the data to another processing system; making the data unavailable to users; or temporarily removing published data from a website

This right applies if:

  • The accuracy of the data is being contested
  • The data was unlawfully collected or processed
  • You no longer need the data but the individual needs you to keep it to support a legal claim

Our Erudite GDPR Solution enables you to log requests to Restrict Processing and give reminders to keep you on track.

Right of Data Portability

Individuals have a right to obtain their data and use it for their own purposes.

  • It allows them to move, copy or transfer data easily
  • This enables individuals to find a better deal or help them understand their spending habits.
  • The right to data portability entitles an individual to:
    • Receive a copy of their personal data.
    • have their data transmitted from one controller to another
    • You should provide the personal data in a format that is structured; commonly used; and machine-readable.

The right to data portability only applies when:

  • Your lawful basis for processing this information is consent or for the performance of a contract; and
  • You are carrying out the processing by automated means (ie excluding paper files).
  • Information is only within the scope of the right to data portability if it is personal data of the individual that they have provided to you

Right to Object

GDPR gives individuals the right to object to processing of personal data in certain circumstances.

  • Individuals have an absolute right to stop their data being used, especially for direct marketing
  • In other cases where the right to object applies you may be able to continue processing if you can show that you have a compelling reason for doing so
  • You must tell individuals about their right to object
  • An individual can make an objection verbally or in writing
  • You have one calendar month to respond to an objection

Right related to Automated Decisions

This refers to making a decision using automation without a human and or automated processing of personal data to evaluate certain things about an individual.

You can carry out this type of decision-making where; the decision is: necessary for the entry into a contract or based on the individual’s explicit consent. You are required to give individuals information about automated individual decision-making, including profiling

Buying insurance online is an example of an automated decision making process that you then enter into a contract for.

Rights on automated decisions and profiling:

  • Explain that you use automated decision-making processes, including profiling
  • Explain what information you use, why you use it and what the effects might be
  • Have a simple way for people to ask you to reconsider an automated decision
  • Have identified staff in your organisation who are authorised to carry out reviews and change decisions. Examples of this include:
    • an online decision to award a loan; and
    • a recruitment aptitude test which uses pre-programmed algorithms and criteria

Try Erudite for free.

Our Free Trial gives full access to the functionality for a time limited period so you can fully explore our GDPR Solution called Erudite. Our no obligation Free Trial will let you see how our GDPR solution can add value to your business and make compliance with GDPR simpler and less daunting.

Let's Get Started!