What are your GDPR rights as an individual?

There is so much “noise” out there about this important subject isn’t there? But, do you know what your rights are when it comes to GDPR?

We are being inundated by email opt-ins, sometimes from businesses we didn’t even realise had our contact information in the first place. What does it all mean and how does it affect you as the “data subject”? What even is a “data subject”? What is personal data? What’s all the fuss about?

It feels as though the real message has got lost along the way – not really surprising when you think that this is the biggest shake up of any law I’ve ever known. It affects EVERYONE – individuals and business owners.

The Objective of GDPR

So let’s look the key objective of GDPR (General Data Protection Regulation) – it is to ensure the privacy and protection of the personal data of data subjects in a changing world. To ensure this happens GDPR empowers the data subject, that’s you, with certain rights. Through these rights, the individual can be reassured that their data is not being misused for any other purposes than it was initially used for. How many times have you wondered how on earth someone got your email address and why they were emailing you? And what can you do about it from 25 May 2018 onwards?

The GDPR came out of a human rights movement – it a mindset change – data now belongs to you not to a business – how cool is that!

Individuals will have to be given much more information about how their data is processed and who by. So, what is “processing” in this context? The GDPR defines processing as more or less any aspect of touching data, including storage, transmission (e.g. email blasts) or alteration (updates).

Data collection will often rely on specific consent and individuals will be required to opt-in with the knowledge of how their data will be used and processed. This is definitely the case if you are the consumer, or if you run a business as a sole trader or as a partnership. As an employee of a limited company or a public limited company you might be contacted by companies who have chosen Legitimate Interests as their lawful reason for contacting you – you will be able to find this in their privacy policy.

A data subject has rights as a customer, an employee and as personnel of a supplier, regardless of whether they opted in or were contacted under Legitimate Interests.

There are 8 Individuals rights:

1. Right to be informed

This gives the data subject the right to ask a company about what personal data is being processed and the reason behind its processing. Companies should provide this information in a privacy policy, statement or notice. It should be free, accessible and written in clear language that is easy to understand.

2. Right to access

This gives the individual the right to ask for access to their data that is being processed. The subject can see or view their data, or request copies of the personal data.

3. Right to rectification

This gives the individual the power to amend or change their data. This should generally be processed in a period of four weeks, or eight weeks if the situation is complicated.

4. Right to erasure (also known as the right to be forgotten)

This allows the individual to ask for their data to be deleted. This usually happens when a customer relationship has ended. It is worth pointing out that this is not an absolute right and it is dependent on it complying with other laws that cover this.

5. Right to restrict processing

When processing is restricted, organisations can keep hold of your data, but they cannot process it. Individuals can exercise this right if they have concerns about how and why their data is being used.

6. Right to data portability

This allows data subjects to ask for their data to be transferred to another controller. The controller must ensure the data is in a machine-readable electronic format.

7. Right to object

This gives the individual the right to object to their data being processed. You can also object to direct marketing, if you do the company must cease contacting you.

8. Rights related to automated decision making and profiling

You can refuse to be part of an automated process. For example if you are applying for a loan, you can ask for your data to be processed manually because you believe the automated processing will not consider your individual situation fully.

How to contact a business about one of your Individuals Rights

You, or a legal representative, can make a rights request. It should be done in writing. You can do this as a customer, an employee or as personnel of a supplier working for a company.

Businesses will have to respond to you within a certain time frame when you contact them about your individual right (usually 30 days) and can’t charge you, unless the request is considered manifestly unfounded or excessive request.

What to do if you believe one of your Individuals Rights has been breached?

Check out the privacy policy of the business – a link to it should be on the email communication and the company’s website.
Contact the company using the relevant Subject Access Request form, if they have one – and companies that are taking this seriously will.
If that doesn’t achieve the desired result then the ICO will be able to help and advise you.

If you would like to know more then the ICO has lots of useful information and they have recently set up a Twitter Channel: YourDataMatters

If you a business owner and are not compliant then talk to us, we can help you. Remember you are not only risking fines, but damage to your reputation.