The General Data Protection Regulations came into effect earlier this year after a two-year grace period. It is a complex piece of legislation about which many employees will have had extensive training. However, though the regulations directly apply to them, relatively few citizens will know much about GDPR and what it means for them. This article aims to give a quick overview of the main rights awarded to citizens (termed “data subjects”).
The first right we’ll discuss is the right to be informed. This means that, if your personal data is being collected, you have the right to know how to contact the organisations collecting and processing your data (termed the controller and processor respectively), the contact details of the Data Protection Officer (DPO) at the organizations, the basis for processing the data, who will access the data, the retention period of the data and notification of other rights under GDPR (such as the right to access your data and the right to file a complaint if you believe the data is being misused). The right to be informed is a fundamental right of the data subject, as it ensures that they know how their data is to be used and what they can do if they wish to change anything.
Another important right that many will have heard of is “the right to be forgotten”. This means that, if a data subject wishes, they can request that a controller or processor erases all of their data without undue delay. However, for this request to be valid, one of a number of conditions must be met. For example, the data was no longer necessary to complete the original task, or the data must be erased to comply with another legal requirement. If the data has somehow been made public, the controller or processor must communicate your wish to all recipients of the data. Data may not be erased if it is in the interest of the public interest.
There are two other related rights, the right to object to data processing and the right to restrict the use of data. If data processing is related to public interests, or the legitimate interests of others, you can object to your data being used for those purposes. More usually, you have the right to object to data processing if the data will be used for direct marketing. Similarly, you have the right to restrict how your data will be processed. Both of these rights are limited by circumstance.
There are, of course, a number of other rights detailed by GDPR. The right to access, for example, means that you can request to access all of your data that is held by the controller. The right to data portability means that you can request that this data is made available to you in a convenient manner. The right to rectification means that all data subjects can request that changes can be made to their files if the data is shown to be inaccurate.