One of the major motivations of the GDPR is to extend the rights of individuals. All rights must, by and large, be responded to within one month. Data Subjects have eight new or extended rights:
1) The right to be informed – see previous section
2) The right of access. Generally known as Subject Access Requests (SAR), these were equally available under the Data Protection Act 1998 (DPA), but some of the rules have changed.
The most significant changes to SAR processes are that:
- Removal of the £10 subject access fee - unless the request is unfounded, excessive or repetitive.
- Requests must be dealt with within one month of receipt - this is a significant reduction from the current 40 day timescale.
3) The right to rectification. If personal data is identified as being inaccurate or incomplete individuals have the right for it to be rectified within one month. This extends to where any third parties have had a Data Subject’s information shared with them.
4) The right to erasure. This is often known as the right to be forgotten that can be summarised as the right to have personal data removed or deleted within one month if there is no compelling reason for it being processed. The ICO is keen to stress that this is not an absolute right to be forgotten and can only happen in certain situations, for example:-
- When the data is no longer needed for the reason it was originally collected.
- The Data Subject withdraws consent.
- The Data Subject objects to processing and there is no continued legitimate reason to continue processing.
- The processing is illegal.
- It is required to be erased for legal reasons.
- It is processed in relation to offer or information society services to children.
The threshold for erasure under the DPA, that the processing would cause unwarranted and substantial damage or distress, has been removed under the GDPR. There are, however, some scenarios in which it is possible to refuse a request:
- The exercise of the right of freedom of expression and information.
- In complying with a legal obligation.
- For public health purposes.
- Archiving in the public interest, statistical purposes and historical or scientific research.
- To defend a legal claim.
If data is to be erased and it has been disclosed to a Third Party, unless it would cause disproportionate effort to do so you must also inform them of its disclosure.
5) The right to restrict processing. As with the Data Protection Act, individuals may restrict processing, which largely means an organisation can hold just enough personal data about them, but not process it any further. This can include scenarios such as:
- A Data Subject contests the accuracy of the data, until the accuracy is confirmed.
- Where the Data Subject has contested the processing and the organisation is considering if its legitimate interests override this.
- When the processing is illegal.
- If you the organisation no longer requires the personal data, but the individual needs it to defend a legal claim.
If processing is to be restricted and it has been disclosed to a Third Party, unless it would cause disproportionate effort to do so you must also inform them of the restriction.
6) The right to data portability. This allows individuals to obtain and reuse (i.e. move, copy and transfer) their information across different services free of charge within one month of the request being made. This applies to personal data held by the Data Controller, where the processing is undertaken with Consent or for the performance of a contract, and when it is carried out by automatic means.
7) The right to object. Individuals have the right to object to:-
- Processing based on legitimate interests or use of their information in either the public interest or by an official authority exercising its rights, which includes profiling. Processing must stop unless:
- The University can demonstrate a compelling reason to continue, which outweigh those of the Data Subject
- It concerns a legal claim.
- Processing for scientific or historical research and statistics. Decisions must similarly be based on the data subjects particularly situation. Where the processing is necessary in the public interest, the Data Controller is not required to comply.
- Direct marketing, again including profiling. Such a request must be actioned immediately upon its receipt, and dealt with free of charge.
8) Rights in relation to automated decision making and profiling. This specifically offers safeguards to damaging decisions being taken about an individual by many electronic means, i.e. by computers. If this is the case, individuals have a right to get human intervention, give their own view, have the decision explained to them, and challenge that decision if they are not happy with it.
With regard to profiling, this is any processing used to judge an individual’s performance at work, economic situation, health, personal preferences, reliability, behaviour, location or movements. Such activity requires precautions including appropriate Privacy Notices, statistical procedures and information security processes, as well as robust procedures to prevent errors.