Individuals rights under GDPR

This blog is a continuation of the Introduction to GDPR series. If you've missed the start, please go here Introduction to GDPR. GDPR came into force in 2018 and with it came specific rights that individuals have with regard their data and how its used, processed, stored, shared and so on.

Individuals Requests

An individual (also known as a Data Subject) has the 8 primary rights under the GDPR. When an individual makes a request related to their right, there are rules that must be obeyed pertaining to that request which include.

• Request must be logged and stored so you have an accurate record of the request
• You have 1 calendar month to respond to the request, starting from the day after they receive the request
• You may not charge to process the request (except in exceptional and or justifial circumstances)
• Responses must be in clear and plain language and should have no attempt to confuse

When an organisation receives a request which could be written or verbal and they've logged that request in their system, they must consider whether they will carry out the request and do as asked or decline the request. A decline must be for a valid reason and the result should be communicated but keep in mind that this could be challenged and escalated to the ICO. An example of a reason to partially decline a request for erasure is if the individual wants you to delete all information related to them, including the record you have of them excercising their right to request the erasure of their data.

It is perfectly acceptable to keep a record of an individuals right to erasure which by its nature will include personal data, but this should be minimal and only what's needed. Without a record of the request, you cannot demonstrate compliance with a request and you would be unable to perform legitimate checks, such as monitoring abuse.

Individuals rights under GDPR

As mentioned at the start, individuals have 8 primary rights under GDPR and they are as follows:

1. Right to be informed
2. Right of access
3. Right to rectification
4. Right to erasure
5. Right to restrict processing
6. Right to data portability
7. Right to object
8. Rights related to automated decisions including profiling

Your organisation must have in place some system to keep track of these requests and a process by which they will carry them out.

Right to be Informed

Known as privacy information, amongst other things, you must tell people at the time of collection: Why your collect and process their data, how long you keep it for and who you will share it with. 

If you want to start using their data in a way that's not consistent with the way you communicated and they consented to, you must inform them and gain consent where appropriate.