Feb 10, 2021 | Blog, GDPR

Data Subject Rights and the GDPR

Howard Freeman

Howard Freeman

The EU GDPR (General Data Protection Regulation) gives individuals eight rights relating to their personal data. Organisations must let individuals know how they can exercise these rights and meet requests promptly. Failure to do so is a breach of the GDPR. To begin with, we should understand what a data subject is.

What are the Data Subject Rights?
The GDPR gives individuals eight rights

What is a data subject?

The term ‘data subject’ refers to any living individual whose personal data is collected, held or processed by an organisation. Personal data is any data that can be used to identify an individual. This can be a name, home address or even a credit card number. This now includes a facial image.

The eight rights of data subjects under the GDPR

The right to be informed

Organisations must tell individuals what data is being collected. This must include how such data is being used and how long it will be kept. This will also state whether it will be shared with any third parties. This information must be communicated concisely and in plain language. Typically, this is set out on a businesses external privacy notice and the statement made will relate to polices created inside the business. Anything less is not compliant to the regulation.

The right of access

Individuals can submit subject access requests. Such requests re better known as DSAR’s or Data Subject Access Requests. Organisations are required to provide a copy of any personal data they hold concerning the individual. Organisations have one month to produce this information. However, there are exceptions for certain types of requests. A DSARcan be disallowed if it is manifestly unfounded, repetitive or excessive, it

The right to rectification

Should an individual discover that the information an organisation holds on them is inaccurate or incomplete, they can request that it be updated. As with the right of access, organisations have one month to do this, and the same exceptions apply.

The right to erasure

When individuals can request that organisations erase their data in certain circumstances including when the data is no longer needed. Perhaps the data was unlawfully processed, or it no longer meets the lawful grounds for which it was collected. This includes instances where the individual withdraws consent.

The right to erasure is better known as ‘the right to be forgotten’ and is one of the more well-known elements of the GDPR.

The right to restrict processing

Individuals can request that an organisation limits the way it uses personal data. This is an alternative to requesting the erasure of data. When an individual contests the accuracy of their personal data. Or, perhaps, when they no longer need the information. However, the organisation might require the data to establish, exercise or defend a legal claim.

The right to data portability

Individuals can obtain and reuse their personal data. This can be for their own purposes across different services. This right only applies to personal data that an individual has provided to data controllers by way of a contract or consent. For example, if you are trying to buy insurance on-line, portability means you need to fill in all your details every-time.

The right to object

Individuals can object to the processing of personal data. It does not matter whether collected on the grounds of legitimate interests or the performance of a task. However, organisations must stop processing information unless they can demonstrate compelling legitimate grounds for continuing to do so. If the processing that overrides the interests, rights and freedoms of the individual. Alternatively, if the processing is for the establishment or exercise of defence of legal claims, then they must cease.

The GDPR includes provisions for decisions made with no human involvement. This includes profiling, which uses personal data to make calculated assumptions about individuals. However, there are strict rules about this kind of processing. When the rules aren’t being followed, then an individual is permitted to challenge and request a review of the processing

Now we know the rights of data subjects, do you know how to go about ensuring your business is compliant? Do you have an individual rights policy? Are the rights fully understood by all staff? Is it part of the staff handbook?

However, GDPR Compliance isn’t just about polices. GDPR is about knowledge and understanding throughout your business. Therefore, all staff should be suitably trained and their understanding tested accordingly. Consequently, staff will know what a data breach looks like or what an individuals rights are. So, if they spot a breach of the regulation, they will know what to do and to whom they should speak.

Do you need help with understand individuals rights? Do you have an individual rights policy? We are here to help you to meet this vitally important part of the GDPR.

Call us today on 03333 22 1011 or contact us here.


Can we help?