The eight rights of all individuals will be a key part of the new regulation for general data protection (GDPR) when it comes into force in May 2018. These eight rights are to protect individuals when a business processes their personal data. The rights are a combination of new rules and other regulations that currently exist under the Data Protection Act (DPA).
There is a lot of information for businesses to find out about. This guide aims to explain the eight rights, how and when you must comply with them, and what else important to know.
This right is concerned with informing an individual how and why you’re using their personal data. You should provide details of processing information, typically, through a privacy notice. The details of the information that you must provide, is dependent on whether or not you obtained the personal data from the individual directly or from a third party. General information that you should always provide include who you are, what you’ll be doing with the info, and who you’ll share it with. Details should also include:
All information should be easy for individuals to access and provided free of charge. It should also be written in a way that is clear, concise and easy to understand, especially if you’re sending it to a child.
If you’ve obtained personal data directly from the subject, you should supply the required information immediately. However, if you’ve obtained it indirectly you can usually provide it within a reasonable period (within one month). If you want to disclose the data to another recipient or if you want to use the data to communicate with the individual, you have to provide the information on or before the disclosure or before the communication.
This is concerned with providing individuals with access to their data to confirm it’s being processed, making them aware of what information is being used, and allow them to verify that the processing is lawful. Upon request, you should provide data:
If you think a request is “manifestly unfounded or excessive”, for example because the request is repetitive, you can charge the individual a reasonable fee, considering your administrative costs, or you can refuse to respond. If you refuse, you must explain to the individual why, and inform them they can complain to the Information Commissioner’s Office (ICO).
Sometimes referred to as the right to have information corrected, this is concerned with the individual being entitled to having their data rectified – if it’s inaccurate, out of date or incomplete. If an individual makes a request for rectification, you should:
If you decide not to take action following a request for rectification, you should explain why to the individual. It’s important to also inform them that they can complain to the ICO or bring a complaint before a court.
Also known as the right to be forgotten, this is concerned with an individual’s right to request to have their data removed when there’s no reason to continue processing it. You should also inform third parties, which you’ve sent their data to, that you’re erasing it, unless it’s impossible or will involve a disproportionate effort.
However, the individual’s right to be forgotten is only under specific circumstances. This includes:
In certain circumstances, you can refuse a request to erase an individual’s data. This includes if it’s being processed to comply with a legal obligation for performing a task that’s been carried out in the public’s interest. Other examples include refusal for public health purposes, or the exercise of legal claims.
The right also is not limited to processing that causes the individual damage or distress, as current per Data Protection Act guidelines. However, any damage or distress caused is likely to make an individual’s case for erasing their data stronger.
This means the individual has the right to block or suppress the processing of their data. You should restrict data processing for different reasons, including:
You should inform all third parties to whom you have disclosed the personal data, about restricting the processing.. You should also inform the individual if you decide to lift a restriction on processing
When processing is restricted, you’re allowed to store that data but not process it any further. You can also retain enough information to ensure a restriction is respected.
This is concerned with allowing an individual to obtain and safely reuse their data across different services for their own purposes. An example of when they might want to do this includes using their data on a price comparison website, or to help understand their spending habits. You should provide data:
The right to data portability only applies where the individual in question has provided the data, if processing is based on the individual’s consent or to perform a contract and also when processing is done by automated means.
This means an individual has the right to object to their data being processed. This is concerned with processing being based on three areas:
For each of the three areas the individual has different rights. For instance, you should stop processing data for direct marketing purposes as soon as you receive an objection and deal with it free of charge. When processing for legitimate interest, however, you should stop unless the processing is being done to establish or defend a legal claim, or if you can demonstrate there are legitimate grounds for it, which overrides an individual’s interests and rights.
In cases of legitimate interest and direct marketing, it’s important to inform an individual they have a right to object to processing when you first communicate with them. This should be presented clearly and separately from other information.
When an individual objects to processing that’s based on legitimate interest or research, they should have “grounds relating to their particular situation” for their request to be accepted. When processing concerns research, you’re also not required to comply with an objection where the processing is necessary for the performance of a public interest task
This means an individual has the right not to be subject to a business’s automatic decision making in certain circumstances. It’s concerned with a business providing safeguards for an individual against the risk that it might make a potentially damaging decision, without human intervention. The right “not to be subject to a decision” applies when it’s:
For an individual to have this right, you must ensure that they can obtain human intervention and express their point of view. You should also ensure they’re able to receive an explanation about an automated decision and challenge it.
The GDPR states that profiling is any form of automated processing which is used to analyse or evaluate an individual’s personal details. This includes their health, behaviour, personal preferences, performance at work, economic situation, and where they live. When processing data for profiling, you must ensure:
Automated decision making that involved special categories of personal data or children, is only allowed under certain conditions which include explicit consent or processing necessary for reasons of substantial public interest.
The right not to be subject to a decision does not apply to all automated decisions. This includes when it’s necessary for entering into or performing a contract between you and the individual, and if it’s been authorised by law, such as for preventing fraud or tax evasion.
Understanding individuals’ eight rights is just one important part of being ready for GDPR. From taking on new business responsibilities, to the time and costs needed to apply the rights to your customers, there’s a lot to think about – you can learn more in our blog, How to prepare for GDPR. It’s wise to get as much support as you can.
At FSB, we support members with advice and guidance so they can be ready for GDPR when it comes into force next year. This includes:
If you’d like to find out more about how we can help your business with GDPR compliance, please visit our FSB Legal Hub and FSB Cyber Protection pages. The services are included as standard with our Business Essentials package. Please take a look at our package comparison page to find out about the benefits of this package and our others.
Factsheets and downloads for: Employment Law, Taxation Matters, Business Law and Health & Safety information. All free. As well as monthly bulletins.