As more businesses collect and share customer personal data for their digital economy, it has significantly influenced data privacy in today’s digital age. Data is the most critical asset to both businesses and customers/users. Businesses must ensure the confidentiality and integrity of users’ data and impose strict control over personal data collection and processing. GDPR is the most effective legislation in the current era that appropriately defines the data protection policies and individuals’ rights regarding data privacy.
In the wake of recent data breaches, it is more important than ever to be aware of your data protection individual rights. The General Data Protection Regulation (GDPR) is a regulation that helps individuals in the European Union exercise their rights over personal data privacy. The UK’s Data Protection Act covers this subject under 8 principles.
What does GDPR mean for individuals?
GDPR has reshaped businesses on how they collect and process personal data and implement a level of legal stability to the data subjects and customers for their personal information, which was not available previously in any regulation. Many businesses have been shifted to the digital paradigm and utilising user’s personal information and sensitive data for their smooth and updated services. It has rung the bell for individual data privacy and their rights over their personal data.
Do individuals have fewer rights under GDPR?
Under the GDPR individuals have fewer rights is not true. UK GDPR helps individuals exercise their rights and authority over how their personal data is protected.
To have a unified procedure for data privacy, the European Union came up with the General Data Protection Regulation (GDPR) to provide legal protection by bounding the business to embed data privacy in their business model. It also empowered the individual, i.e., data subjects, to exercise their rights and legal authority over their personal information to reach and analyse how an organisation is processing and protecting their personal data.
What is a data subject?
Data subject refers to any individual whose personal data is stored, processed or collected by an organisation. GDPR personal data, special category data and examples are provided in detail here.
Which 4 rights do data subjects have under the GDPR?
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
How Many Individual Rights Under GDPR are there?
General data protection regulation has defined eight rights for individuals to ask for any time with no prior notice. Through the GDPR rights of individuals, the subjects can challenge their legal obligation on collected and processed data and complaints to the official authority, such as ICO, if they find processing unlawful or ambiguous.
What are the 8 rights of individuals under GDPR?
The following are the 8 rights of GDPR:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights about automated decision making and profiling.
1. What is ‘the right to be informed’?
The first and fundamental GDPR individual right embraces the data subject by the right to be informed, often called “privacy information.” In the Article 13 and 14, GDPR makes it compulsory for the data controller to prior inform the data subject on the reason and collection of data along with clear and plain language and concise information about what they (controller) will do to their personal data, how long will the data be stored, will it be shared with any third-party or what will be the retention period of data?
Under this right, businesses or data controllers are bound to notify people transparently and lawfully at the time of data collection. Simultaneously, if the data is collected from the other source and not directly to the data subject, the controller must inform the subject with the free of charge privacy information within one month.
2. What is ‘the right of access’?
GDPR grants individuals the right to access their own personal data held by a company. This means that if an individual wants to know what information is being stored about them and where it has been shared with other organisations or processed abroad in any way, they should be able to find out. If the data subject asks this from your organisation (the data controller), you must provide all of the requested personal data without delay and free of charge.
Under the GDPR rights for individuals, the subjects can ask themselves or authorise the third party to access the data on behalf of them. The procedure of availing the right of access is known as Subject Access Request. Any individual who makes SAR, the organisation/controller will be obligated to provide them with the information copy securely and free of charge within a month of the request. Despite this, the GDPR has allowed the controller to deny the SAR if the requested information is manifestly unfounded or excessive.
3. What is ‘the right to rectification’ under Article 16 of the GDPR?
Individuals have the right to personal data rectified. It is the ability for individuals to have their personal data rectified where inaccurate or incomplete. Under GDPR, any inaccurate personal data must be corrected without delay in cases such as where someone’s name has been recorded wrongly or incomplete entries in a database that will lead to errors when it comes time for processing the personal data.
A person can also request deleting their personal data if they feel that it’s unnecessary and don’t want anyone else to access it either. This could be because an individual perceives the risk involved with having this publicly available information outweighs its usefulness; another reason might be if there is no other legal basis justifying its continued use. Keeping it would cause unjustified damage or distress.
Under these GDPR rights for individuals, the controllers are obliged to respond within a month. However, the controller can refuse the right to rectification request if the information is manifestly unfounded or excessive, along with the reason for the refusal request.
4. What is ‘the right to erasure’?
The fourth principle of individual rights (GDPR) is defined in Article 17 empowers the data subject with the right to erasure, also known as ‘the right to be forgotten’.
By requesting this right, the individual can ask the controller to delete or remove their personal data. However, this right for individuals is not absolute for the data controller to fulfil, but it is necessary to be responded to within a month under specific circumstances such as:
- when the data is no longer needed for processing or possession,
- when data subjects want to withdraw their consent
- when compliance with a legal obligation is needed
- when the data subject objects to processing (marketing) and has no overriding legitimate interests to process
- when the controller processed the data unlawfully
- When the personal data is processed about the offer of information society services (ISS) directly to a child
This is an important element for marketing to individuals and businesses to ensure their understanding. It includes acknowledging and acting on the individual’s consent to withdraw from marketing communication such as emails.
Under GDPR what does an individual not have a right to?
Organisations can refuse to comply with the right to object if they can demonstrate legitimate grounds for the processing that override the interests, rights and freedoms of the individual. Additionally, it can be refused if the processing is for the establishment, exercise or defence of legal claims. Here is the detailed article by the ICO on the right to object.
5. What is the right to restrict processing?
Under the GDPR Article 18, the data subjects are allowed to restrict the processing of their personal data. Unlike the erasure of data, the individuals can hold, limit or restrict the controller to process their data in some circumstances.
There is no particular standard to request the right to restrict processing; it can be made in writing or verbally. Whereas during the restriction period, the organisation or controller can store the data but cannot process it, and they have one month to respond to the request.
However, the right is not applicable in every scenario, instead of in some unavoidable situations such as
- when the data is inaccurate
- when the data has been processed unlawfully
- when the data processing is no longer needed, but data subjects want the controller to hold the data to establish a legal claim or exercise
- when the data subject has exercised the right of object or rectification (based on the performance of public interest or legitimate interest) or whether your organisation’s legitimate interest overrides those of the individual
6. What is ‘the right to data portability’?
The right to data portability allows an individual, in certain circumstances, to obtain a copy of their personal data that you have or are processing on them.
With the individual rights to data portability, the data subject can obtain, move, copy or transfer their given personal information from one controller environment to another in a secure way with a structured or machine-readable format. This right also offers individuals to ask the controller to share the data directly with another controller.
This right to portability is only applicable if the data is consensual, processed lawfully, and carried out by automated means instead of paper files, handwritten, or hardcopy format.
The right to repatriation
Individual rights under GDPR repatriation: This right to repatriation of data allows data subjects to copy or transfer personal data easily from one environment to another in a secure manner without affecting usability.
This right to data portability is applicable where an individual consents to their personal data being used for specific purposes and wishes to withdraw that consent later; when processing is based on a contract with the individual and they have not fulfilled their obligations or processing legal reasons.
FAQ: Do you have the right to repatriation under GDPR?
Yes, you have the right to repatriation under GDPR. The right to repatriation is also known as the right to data portability. It is one of the eight fundamental rights that individuals have under GDPR.
7. What is ‘the right to object’?
Individuals have the right to object on grounds relating to their processed data (to direct marketing). You can demonstrate compelling legitimate grounds for the data processing that are your interests or of third parties. The individual can also withdraw consent at any time. Businesses must delete personal information within 30 days of a request from an individual unless there is another legal reason for keeping it to comply with other regulations such as anti-money laundering or fraud prevention rules.
In some circumstances, processing personal data can continue if the data controller has the reason for doing so. But, in such a situation, they must ensure to inform the subject if they process the personal data for research purposes or the performance of a task, e.g., legal. Yet, there is no way for the controller to refuse the right to object to direct marketing.
8. What are the ‘rights about automated decision making and profiling’?
Before we delve into the last principle, let’s understand the basics.
What is automated decision making?
Automatic profiling is when a computer system automatically combines personal data through different sources to form an overall opinion about someone. For example, suppose you are looking at the price of cars and flight tickets on your phone while browsing search engine results for “Spain”. In that case, that information could be used by companies like Facebook or Google to advertise products relevant to your interests. This process can also negatively affect where incorrect assumptions are made based on this profile because it cannot account for other factors such as family status.
Understanding the rights about automated decision making and profiling would be easier – it means that individuals can embrace their rights to restrict automated decisions that do not involve human interaction. The automated processing, profiling and decision are only allowed if necessary or authorised by law or has explicitly subject consent. However, while doing so, the controller must ensure data security and keep a regular check over the system to maintain the processing as intended and allowed by the subject.
The GDPR has defined eight rights for individuals to ensure privacy and better control over personal data. These individual’s rights include the right of access, rectification, erasure, restriction processing, portability, objection and others about automated decision-making and profiling. How is your business ensuring GDPR security and privacy? If you haven’t taken any steps or know where to start implementing these protections into your website or digital marketing strategy, contact us today!
In the ever-evolving cyber threat landscape, businesses need to have a proper set of principles to collect, store, and process the data and have policies to discard or delete the data. While maintaining customer or user data is the primary responsibility of businesses. Still, data subjects need to check and balance their personal data, which they shared with anyone, including organisations, companies, or individuals.
Get in touch to discuss your privacy concerns or schedule a GDPR vulnerability assesment or pentest. We help businesses incorporate the data privacy model according to the business needs and processing requirements.
Harman Singh is a security professional with over 15 years of consulting experience in both public and private sectors.
As the Managing Consultant at Cyphere, he provides cyber security services to retailers, fintech companies, SaaS providers, housing and social care, construction and more. Harman specialises in technical risk assessments, penetration testing and security strategy.
He regularly speaks at industry events, has been a trainer at prestigious conferences such as Black Hat and shares his expertise on topics such as ‘less is more’ when it comes to cybersecurity. He is a strong advocate for ensuring cyber security as an enabler for business growth.
In addition to his consultancy work, Harman is an active blogger and author who has written articles for Infosecurity Magazine, VentureBeat and other websites.