Principles of GDPR compliance and the Rights of Data Subjects
If GDPR applies to you, then you have some legally binding obligations. These are overarched by the principles set out in Article 5 of the GDPR and we’ll go over these here, they are:
- Personal Data shall be processed lawfully, fairly and in a transparent manner.
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Accurate and, where necessary, kept up to date.
- Kept no longer than is necessary.
- Processed in a manner that ensure appropriate security through technical or organisational measures.
You don’t just have to demonstrate compliance with these key principles, but you are also required to protect these rights that all citizens now have:
-Right of Access (Article 15)
Any data subject can request the information you hold on them and it must be provided in a timely manner and without charge. As with any request if there is industry regulation such as the FCA or legal requirements then this would trump the GDPR.
-Right to rectification (Article 16)
If the data you hold is incorrect you have to correct it, and if you have passed this incorrect data on to third parties (with their subjects consent of course!) then you must also notify them of the corrections to me made.
-Right to Erasure (Article 17)
Individuals will be able to demand that you delete them from your systems in their entirety. There are areas that are out of scope on this where it is not feasible or technically impossible, e.g. server backups or a piece of micro-fiche.
-Right to request restriction of processing (Article 18)
Data subjects will be able to obtain the restriction of processing where;
- The accuracy of the data is contested.
- The processing is unlawful but the individual does not want the data erased.
- The controller no longer needs the data to process, but is required to keep it.
- Right to notification (Article 19)
The controller has to communicate any rectification or erasure of personal data or restriction of processing carried out.
-Right to Data Portability (Article 20)
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.
-Right to Object to Processing (Article 21)
The data subject now has the right to object, on grounds relating to his or her particular situation.
-Right to not be profiled (Article 22)
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
These are only snippets of the GDPR articles but hopefully it gives you a feel for your new obligations and rights of individuals under GDPR. You’ll need to read, or seek advice on the full implications for your business. You can see all the Articles here for full reading.