Individuals rights and GDPR

The whole point of Data Protection Regulations is that of protection for individuals and companies from the effects of the collections, processing and onward transmission of data.

GDPR simply expands on existing regulations and updates them for 21^st-century life given the ever-increasing amount of personal data that is being gathered.

One of the current rules in the UK is the right of access to data held about an individual. Known as Subject Access Requests, these have been around for a number of years and allow people to obtain copies of data held about them on payment of a modest fee.

Although these exist currently there are some enhancements in the pipeline.

Access requests need to be completed within a month (currently 40 days) and in general, terms will need to be supplied free of charge. In certain cases companies can make a small charge but these will need to be reasonable.

Although companies have the ability to refuse requests that are clearly unfounded or unreasonable they will need to have a process in place that will inform the individual of the reasons for this.

For smaller companies, Access Requests may simply be a case of setting up templates and dedicating a member of staff to replying but for larger organisations that receive a lot of requests it may require more thinking about the logistics needed.

People will also have the right to have their data deleted from a company’s records and it is important for businesses to identify exactly how they would go about this.

Whilst in some cases it may be a simple matter, for some companies data may be held on computer systems that specifically block users from deleting records and system changes may be required.

The simplest form of data collection; that of writing information down on paper might seem easy but think about how you would access data held in hard copy sales books for instance and how it would be possible to locate and delete that information.

A further right is that of rectification. Although this exists in some forms at the moment, GDPR makes this a basic right and puts rules around when this must be done and how quickly. Again businesses that hold a lot of data on systems that do not allow alteration will need to look at system changes and upgrades.

Alongside this, the individual also has the right to restrict processing of their information. Often this may be because they contest the accuracy of the data but there are a number of other circumstances where you may have to hold information but not process it.

Whilst this applies to the company that collects and holds the data it also applies to other organisation that may have received the data during the normal course of business and so you will need to think about how you would inform other companies of the restriction.

We often hear of people who have decisions made about them in some seemingly automated way with the ‘computer says no’ mentality having pervaded everyday life.

Under GDPR people have the right to not have decisions made about them that are automated or amount to profiling.

There are restrictions in that it applies to decisions that have a legal effect or that are ‘similarly significant’ but companies that have automated decision-making processes can probably expect challenges along the way.

Individuals must have the right to some form of human intervention and review and alongside this must also be able to give their point of view and challenge the decisions.

Companies can make automated decisions where it is necessary for the performance of a contract, where it is legally authorised or where the individual has given explicit consent .

There some further requirements on companies that want to process data in an automated way.

The company must ensure that it is carried out in a transparent and fair manner and will have to provide meaningful information about how the decision was arrived at.

They will also have to ensure that the processing methods are not only relevant and provide accurate results but also that potential inaccuracies are kept to a minimum. The business will be required to provide a method to correct any inaccuracies in a timely manner.

As with all parts of GDPR, when processing automatically the holder of the data will need to ensure that appropriate security measures are taken to prevent breaches.

For most companies that currently comply with Data Protection law, GDPR won't come as a massive shock and it is fair to say that many of the best businesses already have effective systems and processes in place to comply substantially with the new requirements.

That having been said it is also true that even those businesses that lead the way in data protection compliance will be looking at every aspect of their operations to ensure that they are ready to meet the new legislation.

For other firms, it is important that they make an early start to meet the needs of GDPR and that they have systems and processes in place well before 25^th May 2018.

We hope that this has proved useful and we’ll be expanding on some of the main themes in GDPR in the coming days and weeks. Check back soon for our latest article and a free handy questionnaire to enable your GDPR project to get off to a great start.