It has been two years since the implementation of GDPR. It is important to regularly ensure your business is being compliant with the processing of personal data. Read on to learn about the eight privacy rights for individuals under GDPR and what they mean for your business.
These rights need to be detailed in your privacy notice. For more information on this visit www.dataprotection.ie. The eight rights for individuals are:
1. The right to be informed
What this means is that the individual should know what personal data you are collecting on their behalf, why you are collecting their personal data and who has access to it in relation to third parties. For example, if you use an outsourced payroll provider to process employee wages this would need to be detailed in your privacy notice. You must provide information such as the country in which the processing occurs, the legitimate interests of the processor, data retention etc.
2. The Right of Access
This means the individual has the right to access the personal data belonging to them that you process. This will come via a data access request and you will have up to one month to give them their personal data unless it is excessive and then you should keep the individual informed of this. You can read more information about managing data access requests here. One could ask why and how you process it, who sees it, how long it will be stored for etc.
3. The Right to Rectification
This right allows the data subject to have their personal data updated and amended without undue delay if they feel the information is out-of-date. This should particularly be carried out if the data is inaccurate as this could have an impact on them or others. If you held the phone numbers of the data subjects and they had not been updated, you could risk contacting a customer who did not provide their consent. The business should provide a process for the data subjects to update their own information either verbally or in writing.
4. The Right to Erasure
This right is also referred to as the right to be forgotten whereby all personal data relating to an individual should be erased and no longer kept on any paper based or electronic systems, including the cloud. However, if there is a regulatory or legal requirement to retain the data, this overrides the right to be forgotten so this particular right is not absolute.
5. The Right to Restrict Processing
The data subject can exercise its right to limit the way a business processes their personal data which can be an alternative option to requesting the full erasure of their data. They might have issues with the information you hold or how you have processed their personal data and request the processing of it to be adjusted. In most cases you will not be required to restrict an individual’s personal data indefinitely but will need to have the restriction in place for a specific duration. Like the right to erasure, this is not an absolute right if a regulatory or legal requirement overrides this right. For example, if a legal claim needs to be defended the personal data would be processed for that purpose.
6. The Right to Data Portability
This right allows an individual to request that their personal data be transferred over to some other business and it only applies to data controllers. An example of this might be that an individual wants to transfer their data from one utility company to another. It allows them to move, copy or transfer personal data easily from one business to another in a safe and secure way and the data should be provided in a structured, commonly used and machine-readable format.
7. The Right to Object
An individual has the right to object to the following:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling)
- direct marketing (including profiling)
- processing for purposes of scientific/historical research and statistics
It is essential that if you receive an objection to direct marketing this activity must be stopped immediately.
8. Rights to Automated Decision Making and profiling
Businesses will need to state if they use automated profiling so that an individual can request if they need to be aware of any automated decisions that have been made and whether it will stop them doing or obtaining something. An example of this might be a CV selection software that has no human intervention and it matches the keywords from a job advert with the CVs of potential candidates.
If you would like more information on GDPR or to discuss your requirements further, please contact Emma at SFA on 01 6051668 or at firstname.lastname@example.org or visit our GDPR section on www.sfa.ie/advice