The European General Data Protection Regulation(GDPR) act will be applicable as of 25 May 2018, in all member states for any company that stores or processes personal information about EU citizens within EU states. GDPR has a huge impact on businesses, particularly due to the new consent rules. Due to these consent rules, citizens will better understand what personally identifiable information (PII) a service collects and what the service does with that data. Citizens of EU will also be enabled to make informed decisions on whether to use the service at all and whether they give consent to all purposes.
In this section, we will be discussing in brief about the 8 Rights given to every EU citizen by GDPR.
1. Right to be Informed
Transparency and Choice are the main cornerstones of the GDPR act. The Right to be informed enables Individuals to be informed about the collection and use of their personal data. Now after the implementation of the act if a business collects the information from an individual they have to inform them about the purpose for processing individual’s personal data, the retention period of individual’s personal data, and with whom it will be shared.
The regulation lays out an extensive outline of communications with data subjects in varying areas such as third-party legitimate interests and data subject rights. Individuals should be able to contact the data controller with any queries they may have.
2. Right to Access
The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing. This right provides the EU citizens with the ability to get access to their personal data that is being processed. This request provides the right for EU citizens to see or view their own personal data, as well as to request copies of the personal data.
3. Right to Rectification
This article in the data regulation act enables individuals to correct inaccurate information or complete if it is incomplete. An individual can make a request for rectification verbally or in writing and this must be done swiftly, clearly and without undue delay. Right to Rectification is closely linked to the controller’s obligations under the accuracy principle of the GDPR. In certain circumstances, a request for rectification can be refused.
4. Right to Erasure
Another important right is the one to erasure also known as Right to be Forgotten. The general principle here is that an individual has the right to request the deletion or removal of their personal data. This right is not absolute, which means there are circumstances when data will not be erased at the request of the individual.
Individuals have the right to have their personal data erased if:
- the personal data is no longer necessary for the purpose which a business originally collected or processed it for;
- Business is relying on consent as their lawful basis for holding the data, and the individual withdraws their consent;
- Business is relying on legitimate interests as their basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
- Business is processing the personal data for direct marketing purposes and the individual objects to that processing;
- Business has processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle);
- Business has to do it to comply with a legal obligation; or
- Business has processed the personal data to offer information society services to a child.
5. Right to Restriction and Processing
This right can be closely linked to the right to rectification and the right to Erasure. Individuals have the right to restrict the processing of their personal data where they have a particular reason for wanting the restriction over the data that was earlier shared by consent. This may be because they have issues with the content of the information one holds or how one has processed their data.
6. Right to Data Portability
The right to Data Portability enables Individuals to ask for transfer of their personal data or to obtain and reuse their personal data for their own purposes across different services. This is particularly important for businesses considering and collecting. If there is usage data, they could feasibly take that intelligence and use it with a third party elsewhere to their own advantage (and potentially your loss!). Yet another reason for businesses to carefully consider what data they need, and how they use it.
7. Right to Object
Normally, Right to Object would be categorized same as the right to withdraw consent, if consent was appropriately requested and no processing other than legitimate purposes is being conducted.
However, a specific scenario would be when a customer asks that his or her personal data should not be processed for certain purposes while a legal dispute is ongoing in court. This right bears a significant relation to the use of data for direct marketing, processing for purposes of scientific/historical research and statistics and within this clause, individuals can object to their data being used for such purposes.
8. Rights related to automated decision making including profiling
This right is practically a safeguard against a potentially damaging decision that might be taken without human intervention. If the automated decision is based on explicit consent or is authorized by law then this right no longer applies. As automation becomes ever more prevalent, within software, industry, and business, this article could unsurprisingly become ever more prevalent.
Articles 12-23 under General Data Protection Regulation act looks directly at the rights of the data subject (an individual whose data is held by an organization).
Conclusion
General Data Protection Regulation act will have a huge impact on data compliance and usage. It is crucial for businesses to understand exactly what is coming around the corner now to avoid any unwelcome surprises that come with the 25th of May 2018. Data subject rights form the core of GDPR, and your company must implement these rights in the context of its individual clients, employees, and personnel from other suppliers. If you have any queries let us know in the comment section below.
What is Target Integration doing to help businesses?
Some of the work in becoming GDPR compliant is system based but some of the other areas are more business process oriented.
To start with, all of the software that we provide are now GDPR compliant. We are working with those of our customers who have older versions of software to get them GDPR compliant and we are working with software suppliers to help them upgrade their software to be GDPR compliant.
We are also working with companies who have bespoke software and helping them upgrade to a GDPR compliant software or to make their bespoke software GDPR compliant.
So, whatever situation you are, talk to us and we can advise according to your particular situation.