Individuals' Rights Under The GDPR

In addition to introducing a series of data processing principles for businesses, the GDPR also sets out 11 Rights for the Individual and one set of restrictions.

The ICO distils the first three of those rights into a single 'right to be informed' which makes things a bit easier to understand, so we'll take that approach too.

The ICO's documentation and the GDPR's Articles and Recitals describe these Rights very well, so we'll focus here on what requirements those Rights may place on your small or medium sized enterprise/organisation (SME).

The right to be informed

(Articles 12, 13 and 14)

What it means to your SME:

  • At the time of collecting personal data you need to inform the individual of a large number of points relating to what you plan to do with their data, where that data will be processed, how long you plan to hold on to the data and the details of their rights under the GDPR. This notice needs to be in clearly written and intelligible language.
  • You have to tell people if you later intend to process the data for purposes other than for which it was originally collected. That means you need to know what purposes the data was originally collected for, and to be able to prove that (Article 13).
  • If your SME did not obtain the data, i.e. if you are processing the individual's data on behalf of another organisation, you still have an obligation to respond to data requests from that individual (Article 14). You have to provide much the same information as if you had collected the data yourself, and also the details of who you are processing the data for.
  • If your SME did not obtain the data and you wish to use that data in new ways, you must contact the individual and inform them of this.
  • If the individual asks, you have to provide the information in a 'concise, transparent, intelligible and easily accessible form' within one month of the request, except for some types of data where this can be extended by a further two months if the request is complex or for a large number of items or data (Article 12).
  • If the data request is made electronically, it should be fulfilled electronically where possible (Article 12).
  • The data must be provided free of charge, except where 'requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character' (Article 12).

The right of data access

(Article 15)

Anybody can ask you if you have personal data concerning them and if so they are entitled to obtain from your SME (among other things):

  • The personal data in question
  • The purpose of the processing
  • The categories of data
  • The identities of all other parties you have already, or will in future, share that data with
  • How long you plan to hold their data, or the criteria by which you determine that period
  • The existence of any automated decision making, including profiling, a meaningful explanation of the criteria used to make those decisions and the consequences of those automated decisions on the individual

What that means for your SME:

  • You need to know all of the places where you store data about an individual
  • You need really good records of any occasions where that data leaves your organisation. It's not just obvious things like credit checking agencies, it's also things like MailChimp or passing data to your software developers for analysis
  • You need to know what your rules are for keeping data
  • You need a good understanding of any profiling tools you use, so, if those are third party software products from vendors outside the EU then ensure that decision making logic is available to you

The right to rectification

(Article 16)

What that means for your SME:

  • You need to know everywhere in your organisation where data about individuals is stored (paper records, CRM software, line of business software, website database, accounts software, etc.) so that you can update those systems if an individual informs you the data you have about them is incorrect.
  • You also need to know everyone you shared that data with, inform them of the corrections required and inform the individual of the details of those third parties. This means it's vital you have a record of what data has left your organisation and where it went.

Right to erasure (‘right to be forgotten’)

(Article 17)

What that means for your SME:

  • Your systems need to allow for the deletion of personal data. That sounds trivial, but many (or probably most) database based software packages (think CRM, line of business and accounts packages) do not allow records to be deleted, only archived or deactivated. You have to action a request to delete immediately, so it's important to consider how this will be handled if your systems don't allow deletions. Blanking personal data for an individual's record may work here.
  • Where you've made that data public, you are obliged to inform other organisations using that data that a request for erasure has been received.

Right to restrict processing

(Articles 18 and 19)

What that means for your SME:

  • A record of which people have blocked which types of processing needs to be kept and consulted prior to processing data. In most cases, the best way to handle that will be within the software used to manage those processes.
  • As with the other rights, you also have to pass the individual's requests onto third parties you've shared the data with

The right of data portability

(Article 20)

What this means for your SME:

  • You need to be able to provide an individual with their personal data in a manner that allows them to easily take that data elsewhere. That data has to be in a machine-readable format, think spreadsheet or export file rather than Word document or PDF.
  • If you anticipate a lot of these types of request (i.e. if you are in an industry where customers regular move between providers - e.g. mobile phone providers, banking, utilities to name but a few) then this process should definitely be automated. That may be a reasonably large undertaking as you are likely to need to bring together data from multiple separate software systems (and potentially from paper records too)
  • For organisations who anticipate few of these types of request, preparing a spreadsheet of a person's data manually and then saving it as a CSV file should suffice.

The right to object

(Article 21)

What this means for your SME:

  • The primary impact here is on direct marketing and profiling. If you receive an objection you must stop direct marketing immediately and there are no grounds to refuse. Of all of the GDPR, this is actually the part that is likely to trip up the most businesses as marketing is often done on an ad-hoc basis based on departmental or even individual staff members' lists of contacts or leads, and also by external mailing houses and automated online mailing tools (such as MailChimp or Constant Contact). Ensuring that every one of those areas is aware that a person should not be marketed to is a non-trivial undertaking and is probably best achieved by centralising CRM into a single location or creating a single master list of objectors that all systems can refer to.
  • It's not enough to not market to the individual, you have to also remove them from the profiling process too. So, if you run a report each month of customers who haven't purchased from you in six months, you need to ensure that any objectors are not included in the data used to calculate who is included in that report. The only way to achieve this in many cases will be to change the way the software that performs those tasks works.

A21 also talks about the right to object to processing based on legitimate interests, such as research, but that's not something we've considered here.

Rights relating to automated decision-making and profiling

(Article 22)

What this means for your SME:

  • If your SME makes decisions about individuals based on automated profiling you must provide a mechanism whereby the individual can obtain human intervention. That means processes that use profiling must also allow for a manual override. This doesn't apply if the profiling is an implicit part of the service the individual signed up with your business for in the first place (for example if you ran a credit scoring agency, or wrote an activity tracking app).

Important: This site describes our current understanding of the General Data Protection Regulation (GDPR).

We are not lawyers, always seek specialist GDPR advice for your organisation.

About Redox Software

At Redox we specialise in producing bespoke software written especially for your business. We can write you a system that can be used on your computer, via the web or on your tablet/phone – or any combination of those - either now or in the future.

Latest Redox Posts

Our Contact Details

The Colin Sanders Innovation Centre
Mewburn Road, Banbury
Oxfordshire. OX16 9PA

+44 (0)1295 817646