GDPR is based around 8 rights, building on those that exist in the Data Protection Act and introducing new rights. Below are the 8 rights and a brief explanation of each:
- Right to be informed – All organisations must be completely transparent with that data they are storing and how they intend to use the data. This information must be passed in a clear, easy to understand manner.
- Right to access – Subjects have the right to be informed of exactly what data information is being held and how it is being processed. The information must be provided to the subject free of charge and in a commonly used format.
- Right of Rectification – Subjects have the right to rectification if any of the data held on them is inaccurate, you (the processor/controller) must also provide any third parties the update information.
- Right to Erasure – Otherwise known as the right to be forgotten means you must have a procedure in place to remove any data from your systems (Physical & Electronic). This could be when your reason for collecting the data is no longer valid or the subject withdraws consent.
- Right to restrict processing – A subject has the right to block the processing of their data for a number of reasons. An example of this is if the subject has contested the accuracy of the data held on them they can restrict that data from being processed until resolved.
- Right to portability – The subject has the right to request their data, generally used to move data between computer systems between service providers. The data must be provided in a structured, commonly used format.
- Right to Object – Subjects have the right to object to their data being processed.
- Rights of automated decision making and profiling – GDPR has introduced a safeguard to protect a subject against automated systems making decisions without human intervention. An example of this in use could be an insurance firm.