Continuing our look at the GDPR and its requirements, this edition of the blog gives a brief overview of the rights of the individual, or ‘data subject’, to use the GDPR parlance.
Although most organisations will have policies and procedures in place for the rights of individuals under the existing Data Protection Act (DPA), these documents will require a thorough review to ensure that all the rights accorded to individuals under the GDPR are being met.
The rights of the individual under the GDPR include the following:
• The right to be informed of what data is held, as well as the lawful reason for holding the data
• The right of access for the data subject to see the personal data being held
• The right to rectification, which means that individuals have a right to ensure the data held by an organisation (data controller) or processed (data processor) is accurate and up to date. The data controller or processer are bound under the GDPR to rectify any errors they are informed about, once the error or omission has been verified
• The right to erasure, also referred to as the right to be forgotten
• The right to restrict processing in relation to the points discussed below regarding automated decision-making and automated profiling, as well as other areas where the data subject has reasonable grounds to request restriction
• The right to data portability, which is the right for the data subject to demand their data is transferred to another recognised data controller – see below for the conditions that have to be met
• The right to object to both what data is held, and the reasons for that data being held. Objections follow a laid-down procedure and include the right to escalate the objection to the supervising authority, which in the UK is the Information Commissioner’s Office (ICO)
• The right not to be subjected to automated decision-making
• The right not to be subjected to automated profiling
The reasons for the individual rights listed above are self-evident, and most proficient data controllers would welcome them. After all what good is incorrect data, for example?
It is relevant therefore to consider the organisation’s process for erasure or deletion of data – how as a data controller or data processor would the process be carried out? Would an automated procedure take care of finding and deleting the data, and would the procedure permit the location and deletion of data from back-ups especially when the back-up data is stored off-site or in a cloud-based back-up. It is also important to determine who within the organisation would make the decision regarding data deletion.
When an individual data subject requests access to their data, the data controller must provide the data in a commonly used and machine-readable form, and the information must be provided free of charge.
The right to data portability only applies when certain criteria are met. It applies only to data the data subject has provided to an organisation (data controller) (i) with consent expressly given for the processing of the data, (ii) in relation to the performance of a contract, and (iii) only when the processing is carried out by automated means, for example payroll.
As with the rights to access and rectification, data portability must be provided to the data subject free of charge.