In the fourth of our blog posts about the upcoming GDPR (General Data Protection Regulation) we’re looking at the rights you, as an individual, have regarding your data.
GDPR sets out 8 basic rights for individuals:
- The right to access: this means that individuals have the right to request access to their personal data, or to ask how their data is being used by a company. If a customer asks, the company must provide a copy of the personal data, for free and in electronic format if requested.
- The right to be forgotten: if people are no longer customers or if they withdraw their consent, companies have no right to use their personal data. This means that individuals have the right to have their data deleted.
- The right to data portability: individuals now have the right to transfer their data from one service provider to another. This must happen in a commonly used and machine-readable format.
- The right to be informed: you must let individuals know about the data you collect and store about them. This includes any gathering of data or even informing the individual before their data is gathered. Consumers must opt in before you gather any data about them and consent must be explicitly given rather than implied.
- The right to have information corrected: this ensures that customers can have their data updated or corrected if it is out of date, incomplete or incorrect.
- The right to restrict processing: individuals can request that their data is not used for processing. Their record can remain in place, but not be used.
- The right to object: this gives individuals the right to stop the processing of their data for direct marketing. Importantly, there are no exemptions to this rule – any processing must stop as soon as the request is received. In addition, this right must be made clear to individuals at the very start of any communications.
- The right to be notified: if there has been a data breach that compromises an individual’s personal data, you must notify them within 72 hours of being aware of the breach.
This is good news for individuals as GDPR aims to ensure that people have more power over their own data. It takes power away from organisations that collect and use personal data to make money, and makes it safer for the individual.
For businesses this means you need to ensure that you’re putting individual rights and data safety first. By proactively acting on GDPR and these rights you’ll also be giving your customers the best possible experience with you, and reducing any negative impact on your company reputation.
You can find out how to request your personal information, access information from a public body, raise a concern, claim compensation, check your information is being handled correctly, and more, from the Information Commissioner’s Office (ICO).