The GDPR enhances existing data subject rights provided under the EU Directive whilst also introduces new ones which will have large implications for business that gather or process personal data. These organisations will have new obligations under the GDPR and will have to take steps to protect and comply with these rights.
These rights include the right for customers to information, to access their own personal data, correct or erase that personal data, restrict and object to data processing. They will also be able to receive a copy of their personal data or transfer it to another data controller, not be subject to automated decision-making and be notified of a data security breach.
A summary of the actions needed to safeguard these rights are:
Right of Information: Organisations need to have mechanisms in place to ensure fair and transparent processing, including adequate and clear privacy notices.
Right of Access: Organisations need to have mechanisms in place to provide access to and copies of personal data to data subjects.
Right to Rectification: Organisations need to have mechanisms in place to be able to locate all of the data subject’s personal data across their systems and update as requested.
Right to be Forgotten: Organisations need to change the way they handle personal data and implement a framework through which they can respond to data subjects’ requests to have their personal data erased.
Right to Restriction of Processing: Organisations need to have mechanisms in place to be able to locate all of the data subject’s personal data across their systems and restrict its processing as requested and as appropriate.
Right to Data Portability: Organisations need to have mechanisms in place to provide personal data to data subjects in a structured or commonly used machine readable format.
Right to Object: Organisations need to have mechanisms in place to be able to locate all of the data subject’s personal data across their systems and be able to stop processing.
Automated Individual Decision Making: Organisations need to have mechanisms in place to identify instances of decisions based solely on automated processing and to stop such processing where appropriate.
Organisations will find these actions easier to embed if they view these not as inconveniences, or try to establish the minimum requirement without facing penalties, but as restoring their customers rights. By taking these actions an organisation can empower their customers in a way that builds trust, and could end up being able to use personal data more effectively because of it.
Download our Risk and Confidence Survey at http://www.cnahardy.com/pulse
Next: Privacy and Consent in GDPR