An Introduction to GDPR Data Subject’s Rights

The GDPR is here to stay – that’s a good thing

The General Data Protection Regulation (GDPR) came into force on the 25 May 2018 amid an unprecedented amount of hype and F.U.D (fear, uncertainty and doubt).  Thankfully, things have settled down now and the bombardment of emails (many of which were unnecessary or even illegal) have stopped.   But there are still lots of businesses which are not compliant and don’t have processes in place to deal with some of the positive facets which GDPR give us as individuals.

GDPR isn’t often seen as a positive change as it means that businesses have to adapt the way we do things, but there are many positives about this new law which reflects a change in human rights and the way businesses communicate and keep data – it’s a mindset change.  GDPR is about so much more than consent or legitimate interest and privacy policies, and with the refresh of PECR on the horizon it is imperative that businesses get this right.  Keep an eye out for our simple GDPR compliance check list in the next few days – why not join our Lifting the Lid Off GDPR to receive the checklist direct to your inbox plus other GDPR collateral such as our series of de-mystifying GDPR emails.

What are the positives of GDPR for a business

Businesses who have already embraced their GDPR compliance journey are seeing the fruits of their labours in the form of:

• better systems and therefore efficiencies within their business
• an increased awareness of what data they hold and what they do with it
• improved IT security
• a better understanding of who their clients are, and therefore who their ideal clients are and how to encourage them to become clients

Overall the importance of data has been elevated and this can only be a good thing.

Don’t let a Data Subject’s Rights Request derail your business

We have noticed a significant increase in the number of Data Subject’s Rights requests being sent to businesses; and we have seen how long it takes an unprepared business to process a request and how much effort goes into gathering the necessary information and dealing with the request in the legally prescribed way.

Of course all of this takes the business owner, and their staff, away from their day job causing a knock on effect throughout the business.

What are Data Subject’s Rights?

A data subject has a set of rights under the GDPR, and your organisation has an obligation to help data subjects to exercise their rights.  A right can be made verbally or in writing – this can make it difficult to recognise a request and so makes it important to record when you received a request and how you respond.

All rights should be responded to, with data if relevant, within a certain time frame and you can-not charge for this work unless the request is “manifestly unfounded or excessive” or is repeated.  In this case, there are limits on what you can charge.  You can refuse to fulfil a request on these grounds but need to let the data subject know this and justify the decisions.  You also need to send them your GDPR compliant privacy policy.  Find out more in An Introduction to GDPR Data Subject’s Rights.

The Rights

There are eight Data Subject’s Rights and each needs to be treated and actioned slightly differently:

• Right to be informed
• Right of access
• Right to rectification
• Right of erasure (right to be forgotten)
• Right of restriction of processing
• Right to data portability
• Right to object
• Rights in relation to automated decision making and profiling (we do not cover the rights relating to automated decision making and profiling in this blog or in the document – if you think this area might apply to your business please contact us)

Find out what each of them mean and how to deal with each Data Subject’s Rights request in our free download An Introduction to GDPR Data Subject’s Rights. In this document we aim to provide a simple overview of how your organisation should be supporting the data subject so that they can exercise their rights – in other words how you need to deal with one if you receive one.

How we can help

If you haven’t started your GDPR journey then hopefully this will encourage you to not put it off any longer – the key thing with GDPR is to make a start, and then make sure that you have a documented plan to finish things off.  Find out more in our blog: GDPR: Things to Get Done Pretty Rapidly

Please note – if you are handling sensitive data (there is a specific definition of that under the GDPR), or criminal records data, or are processing large volumes of data regularly, then you should dedicate more effort to getting this sorted asap.

Our popular GDPR Compliance Roadmap Toolkit has all the instructions, explanations, templates and checklists you need to be compliant, in addition to what’s in the toolkit we are offering unlimited email support and a review of your privacy policy.  We also offer bespoke GDPR Services for businesses.

We will keep our clients who have purchased the toolkit, or for whom we have undertaken a bespoke GDPR work, up to date with important changes in the GDPR and with the new PECR and ePrivacy Regulation (ePR) laws which are fast approaching.  Call us on 01635 592020 to talk to us in confidence, we are here to help.

Who are we

Andrew Roberts and myself have 35 years of Data Protection, Data Management and Data Processing experience between us – we take a pragmatic approach to make the most of data in business – do contact us if you like to talk, in confidence, about how GDPR, PECR and ePR affect you and your business.