Rights of Individuals
At the core of the GDPR is the theme of keeping individuals’ rights and interests front of mind at all times. Under the new regulation your customers will have the following rights:
The right to be informed (see below for more information)
The right of access
The right to rectification
The right to erase (see below for more information)
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling
More information on the rights of Individuals can be found on the Information Commissioner’s Office (ICO) website.
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
- Right to be informed
Businesses must be sure to provide details on how customers information will be processed and why.
Privacy policies also will need updating to reflect this and be in line with GDPR requirements. Don’t forget that any policy changes will need communicating to both new and existing customers.
- Right to erasure (or ‘right to be forgotten’)
Individuals will now be able to request that their data is deleted.
This doesn’t give people an absolute right to be erased or forgotten, however it is possible under certain circumstances. For example, situations where there is no longer a compelling reason for the data to remain on file.
There are also occasions where this request can be refused. That is, when personal data has been processed for one of the following reasons:
To exercise the right of freedom of expression and information
To comply with a legal obligation for the performance of a public interest task or exercise of official authority
For public health purposes in the public interest
Archiving purposes in the public interest, scientific research historical research or statistical purposes
The exercise or defence of legal claims
- Data protection officer
As part of the new GDPR, it is a requirement that under certain circumstances a data protection officer (DPO) must be appointed.
This requirement would apply if, for example, you are carrying out large scale processing of special categories of data, or processing data relating to criminal convictions or offences. Public authorities will also need to appoint a DPO.
Of course, you may still appoint a DPO even if you’re not required to and this may be something to consider, to ensure that you have the resources and skills to manage your other GDPR obligations.
More information on DPOs can be found on the ICO website.
- Obligations on data processors
According to the ICO, a data controller “determines the purposes and means of processing personal data” and a data processor “is responsible for processing personal data on behalf of a controller”.
Under the DPA, the statutory obligations are on data controllers only.
However, the GDPR sees data processors being given new responsibilities around the security of personal data during processing activities. Data Processors will also be legally accountable for compliance outside of contract terms.
- Data protection impact assessment
A data protection impact assessment (DPIA) is a tool which the GDPR promotes so that businesses can effectively assess and comply with their own data protection obligations.
They allow you to identify and resolve any issues that may lead to non-compliance and the resulting costs and reputational damage that may ensue.
You are required to conduct a DPIA where the processing of data is likely to result in high risk to the rights and freedom of Individuals]]>
