Frequently asked questions on GDPR
GDPR - Data Subjects’ rights
The General Data Protection Regulation (“GDPR”) provides some new rights for individuals and strengthens some of the rights that currently exist under the Data Protection Act 1998 (“DPA”).
If your organisation processes personal data, what steps has it taken to familiarise itself with the GDPR and the enhanced rights of individuals?
If your organisation processes personal data, it must ensure that its policies and procedures provide for the following rights and where applicable, how requests will be dealt with including a timeline:
The right to be informed
The GDPR requires organisations to supply the following information to individuals:
- identity and contact details of the controller and where applicable, the controller’s representative and the data protection officer
- purpose of the processing and the lawful basis for the processing
- the legitimate interests of the controller or third party, where applicable
- any recipient or categories of recipients of the personal data
- details of any proposed transfers of personal data to third countries or international organisations and the existence of an adequacy decision by the European Commission, or where applicable, the appropriate safeguards
- the period for which the data will be stored or criteria used to determine the retention period
- the existence of each data subject’s rights
- the right to lodge a complaint with the Information Commissioner
- whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data
- the existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences
- the categories of personal data (where data is not obtained directly from the data subject)
- the source the personal data originates from and whether it came from publicly accessible sources (where data is not obtained directly from the data subject)
- the right to withdraw consent at any time
The information provided must be:
- concise, transparent, intelligible and easily accessible, and
- written in clear and plain language, particularly if addressed to a child.
The right of access
The right of access to an individual’s own personal data existed under the DPA but organisations must provide more information than was previously required and reply within one month from the date of receipt of the request.
The right to rectification
The GDPR requires organisations to ensure that personal data is accurate, kept up to date and is erased or corrected without delay when it is inaccurate.
The right to erasure (right to be forgotten)
This is a new right giving individuals the right to request organisations to delete their personal data in certain circumstances.
The right to restrict processing
This is a new right giving individuals the right to restrict data processing in certain circumstances.
The right to data portability
Individuals have a new right to obtain a copy of their personal data from the data controller in a commonly used and machine readable format and have the right to transmit that data to another controller.
The right to object
Individuals have the right to object to the processing of his or her personal data including profiling unless the data controller can demonstrate legitimate grounds for the processing which override the individual’s rights.
Where personal data is processed for direct marketing purposes, individuals have the right to object to processing for such purpose.
Rights in relation to automated decision making and profiling
Individuals will have the right not to be subject to a decision based solely on automated processing, including profiling, which has legal effects on the individual or similarly affects the individual. Organisations that engage in profiling activities will need to consider how to implement appropriate consent mechanisms to continue these activities.
The right to be notified of a data security breach
Where the personal data breach is likely to result in a high risk to the rights and freedoms of an individual, the data controller must notify the individual without undue delay.
The new Data Protection Bill was published in September 2017 and is currently making its way through Parliament. It is too early to know what form the final Data Protection Bill will take and it may differ from the GDPR in some respects. Brachers will continue to monitor the situation and highlight any points where differences are likely to have a material effect.
How can we help?
For further information and advice on the GDPR please contact our specialists:
- News & Events