GDPR: Getting Data Protection Right (Part Four – Individuals' Rights)

This is Part Four in Mills & Reeve’s series of blogs about Getting Data Protection Right.

In Part One we looked at lawful processing, in Part Two we focused on transparency, and in Part Three, we focused on data security.

In this Part Four, we focus on individuals’ rights.

Individuals’ data protection rights are revamped by the GDPR. For example, as an individual (a “data subject”) your right to access your personal data through a “Subject Access Request” is altered so that personal data must, in general, be provided without charge and within a shorter time frame of one month.

The rights are:

• Right to be informed – People have a right to be informed about their personal data. Review the ICO guidance on privacy policies for the details required to be communicated to the data subject, available here.
   
• Right of access – Data subjects have the right to obtain (i) conformation that their data is being processed (ii) access to their personal data and (iii) other supplementary information that should be set out in a privacy notice.
   
• Right to rectification – Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
   
• Right to erasure – A data subject may request the erasure of personal data in certain circumstances, if it is no longer necessary in relation to the purpose for which it was originally collected/processed.
   
• Right to restrict processing – Processing must be suppressed in certain circumstances, e.g. if the individual contests the accuracy of the personal data.
   
• Right to data portability – This includes a right to receive a copy of the personal data, free of charge, from the data controller in a commonly used and machine-readable format and store it for further personal use on a private device.
   
• Right to object – Individuals have a right to object to (1) direct marketing (including profiling) (2) processing of their data based on legitimate interests or the performance of a task in the public interest (3) processing for purposes of scientific/historical research and statistics. See here for the ICO guidance.
   
• Rights regarding automated decision making – Individuals have the right not to be subject to a decision when it is based on automated processing.
   
• Breach notification rights – When a personal data breach is likely to result in a high risk to a data subject's rights, a data controller must notify the data subject of the security breach without undue delay.

Practical steps to take now

• Review internal processes for complying with individuals’ data protection rights.
   
• Ensure standard responses to subject access requests inform individuals about their other rights and provide the other necessary information.
   
• Check the ease with which data can be easily accessed, exported and/or restricted if relevant requests are received. 

At Mills & Reeve we offer a range of products and services relating to GDPR-readiness and data protection – to find out more please contact one of our data protection experts Paul Knight, Sarah Whyman or Edward Hadcock.