In addition to changing the way that businesses and organizations obtain and handle data, GDPR also awards individuals several rights. These include, but are not limited to:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
These shall be discussed briefly below.
The right to be informed
The “right to be informed” is a key requirement under GDPR. GDPR stipulates that individuals have the right to be informed about the collection and use of their personal data. The rules require business to be transparent with their customers regarding the use of the data which they hold. Organizations must be clear purposes for processing their personal data, the amount of time for which they’ll hold the data, and who will be able to access the data.
The right to access
This gives individuals right to access their personal data which is held by organizations. Individuals have the right to request a copy of their personal data, including any supplementary information, using a variety of communication pathways (including social media). Businesses must respond to these requests within a month of them being received and are not permitted to charge a fee for the service.
The right to rectification
Under GDPR, individuals have the right to change the personal data that a business holds if it is incorrect. They also have the right to complete data if it is incomplete. Businesses must respond to these requests within a month of them being received and are not permitted to charge a fee for the service. Under certain circumstances, such as if the accuracy of the data is disputed, organizations may refuse to change the data and a third party may be needed to mediate the dispute.
The right to erasure
The right to erasure gives individuals the right to request that personal data held by controllers is erased as soon as possible. This is also known as the “right to be forgotten”. The right to erasure only applies in certain circumstances; these include if an individual’s data is no longer necessary for the original purpose for which it was collected, if the business has unlawfully processed the information, if the individual withdraws their consent and that is the only lawful reason an organization has for holding the information, or if the business is holding the information for marketing purposes.
The right to restrict processing
This prevents an organization from further processing of personal data of an individual. This allows an individual to restrict the ways in which their data is used by an organization but does not stop the organization from holding the data. The right does not apply in every circumstance; an individual must have a legitimate reason to request the restriction and suppression of their data. This may be if an individual disputes the accuracy of the data being held, or if the organization no longer needs the data but the individual requires them to keep it to exercise or defend a legal claim.
The right to data portability
This GDPR rule gives individuals the right to obtain personal data from organizations in a secure, digital format. Individuals should be able to reuse their own data for personal reasons and transfer it across digital formats without its usability being affected. It also allows an organization to transfer the data to another organization electronically.
The right to object
The right to object allows individuals to protest and prevent organizations from further processing or storage of data. The right only applies in certain circumstances, but individuals are always able to prevent their information from being used for direct marketing purposes. Individuals can also object if the data processing is for a task carried out in the public interest, for the business’s legitimate interest, or for the exercise of an official authority vested in the organization. Organizations may refuse the request, and a third party may be needed to settle the dispute.