The European Union’s General Data Protection Regulation (GDPR) grants 8 rights to individuals when it comes to protecting personal information.
1. The right to be informed
People have the right to know how you’re using their personal information and why. At a bare minimum you should state the following in your privacy policy:
- The identity of the “data controller” (most likely you) and contact information;
- What you intend to do with that data;
- The data retention period and the basis for it;
- Whether you intend to share the data with third parties;
- That an individual has the right to withdraw consent, how to withdraw consent, and how to lodge a complaint.
2. The right of access
People have the right to access the data you have on file about them. This means that if requested, you must provide such access:
- Free of charge, or a reasonable fee commensurate with administrative costs;
- Within 30 to 90 days of the request to access, depending on the complexity of the information.
If access is refused, you must inform the individual that they can lodge a complaint to the Information Commissioner’s Office.
3. The right to rectification
Individuals have the right to have their information corrected and/or brought up to date. If their information was shared with third parties you must notify the individual of such. You must also notify third parties that the information is being updated.
You have 30-60 days to comply with the request for rectification, depending on the complexity of the matter.
4. The right to erasure
This concerns an individual’s right to request that their data be removed from your database as well as from that of third parties to whom their data was sent. The right of erasure is limited to where the processing of the data is no longer necessary for the purpose it was first collected. Other legal circumstances may make it necessary to refuse the request to erase an individual’s data, for example, in the case of ongoing legal claims.
5. The right to restrict processing
Individuals have the right to block or suppress the processing of their data, in particular when the accuracy of the data is in question or has not been verified, or if they did not provide consent for the processing of the data. The restriction of data processing does not mean the data must be erased.
6. The right to data portability
Companies are required to allow individuals to obtain and reuse their personal data across different platforms for their own purposes, for example, to help understand their spending habits.
7. The right to object
Individuals have the right to object to their data being processed. This does not apply if processing involves establishing or defending a legal claim, or if there are other grounds that may override this right.
Make this right clear as soon as you begin communicating with them for the first time.
8. The right not to be subject to automated decision-making
Individuals have the right not to be subject to a company’s automatic decision-making, i.e., decisions made without human intervention, i.e., automated processing,
Automated processing that is used to analyze or evaluate an individual’s personal behaviors is considered profiling. There are strict conditions for when this is allowed.
For more information regarding the GDPR, go HERE.