Businesses need to be aware of the new enhanced rights granted to individuals (data subjects) under the General Data Protection Regulation (GDPR) as the date the new regulations are implemented (25 May 2018) fast approaches.
While some of these rights are an extension of what is currently afforded to data subjects under the existing data protection regime, others represent completely new concepts.
For instance, lots of businesses will be surprised to hear that their right to charge an administration fee for dealing with data subject access requests has now been abolished (unless the request is unfounded or excessive), as this acted as a useful deterrent against time wasters looking to cause bother.
A summary of the new rights which will be available after 25 May 2018 are as follows:
- The right to request access to personal information (right of access);
- The right to request the correction of any incomplete or inaccurate personal information (right of rectification);
- The right to request a deletion of personal information if the continued processing is not justified (right to be forgotten);
- The right to object to processing of personal information where the data controller is relying on a legitimate interest and the data subject wants to object to processing on this ground (right to object to processing);
- The right to request the restriction of processing personal information (e.g. suspend processing until the data controller has established the accuracy or the reason for processing) (restriction of processing);
- The right to request the transfer of personal information to another data controller (right to data portability).
So what are the implications for businesses? For example, if you are a software provider, you may receive a request from a data subject asking you to transfer their personal data to a new software provider. You might also receive a request from a data subject asking you to delete all personal data that you hold about them.
To ensure compliance (and avoid potentially hefty fines), all businesses will need to train staff to ensure that they are properly versed in dealing with the data subject’s request. They will need to review existing policies and procedures to ensure that they are compliant with the new GDPR rules and they will need to assess whether their computer systems are sufficient to deal with the rights (e.g. the right to erasure and the right to data portability).
While the new GDPR is a major step forward in enhancing data subject’s rights, it will be a time consuming and potentially expensive exercise for businesses.
If you wish to discuss any of the issues raised in this article or would like assistance with complying with the new GDPR please contact Rebecca Anforth, head of Intellectual Property, on 01872 226999 or firstname.lastname@example.org.
The information provided in this article is for general information purposes only and does not constitute legal or other professional advice and cannot be relied upon as such. Any law quoted in this article is correct at 22 March 2018. Appropriate legal advice should be sought for specific circumstances before any action is taken. Copyright © Murrell Associates Limited 2018.