In the fourth part of our GDPR blog series we’re covering how GDPR gives new rights to individuals and their data. You can read our GDPR blog series by following the links below:
- The General Data Protection Regulation – An introduction to GDPR
- How the GDPR affects the personal data you hold
- Plan how you need to change ahead of GDPR implementation
- How GDPR gives rights to individuals and their data
- What is your lawful basis for processing data
- GDPR gives you a duty prevent and report data breaches
How GDPR gives rights to individuals and their data
For many businesses (regardless of size) data capture is a key part of any sales process and marketing strategy. From 25th May 2018, the personal data you hold needs to be documented, this should include what data you hold, where it came from and how you use it. For many businesses the first stage toward GDPR compliance will be to perform a data audit to ensure all documentation is correct.
The importance for correct documentation is due to the fact that under GDPR individuals have the right to request a copy of all their personal data you hold, you should also be able to tell them where you got the information from and how you use it. From here the individual has the right to request changes to their information or ask for it to be deleted. In summary, GDPR has moved ownership of any data you hold to the individual, not you as a business.
The rights of the an individual
In the case of a person requesting deletion, you’ll need clear processes in place to action this, and any request should be responded to without ‘undue delay’. All requests of this nature should be actioned within 1 month of the request being received.
If you learn of any inaccurate data it will be your responsibility to inform any organisation you’ve shared it with as they too will also have to action updates. Without current documentation it’s unlikely you’ll know where you’ve past data too, or even what pieces of information you hold.
A key part of GDPR is the re-definition of what constitutes consent for you to store an individual’s personal information. Consent should be clearly presented and asked for at the point data is inputted, not hidden in small print and not defined by pre-ticked boxes – and consent can be withdrawn at any time.
The gathering and storage of personal data
An important principle of GDPR is to require companies to not store any personal data for longer than required or use it for any purposes the individual hasn’t consented to. Previously many businesses have regarded inactivity by the individual to signify consent to continue storing and using their information, this is no longer the case. In fact, the new legislation specifically includes clear wording on this: “…silence, pre-ticked boxes or inactivity should not therefore constitute consent.”
How you obtain consent has not been specifically determined but could include a written statement, an oral statement (that is correctly documented) or the ticking of a box on your website. In certain circumstances you may also have a lawful basis to store and process data without clear consent but this will be strictly governed.
Remember while actioning your own GDPR policies that it all applies to you as an individual too. You’re a person with personal data rights of your own and you will expect your information to be handled correctly by any business that holds it.