What the ICO says –
“You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.”
What does this mean for your organisation –
Policy and procedure time again. An individual (Data Subject) has the following fundamental rights under the GDPR.
- The right to be informed – What, why and in what way their PII will be processed.
- The right of access – To know what PII is held on them by whom and why.
- The right to rectification – To have corrections be made to their PII.
- The right to erase – Request to be forgotten (i.e. all PII erased from all systems)
- The right to restrict processing – Can ask organisations to stop processing their PII.
- The right to data portability – Ask for their PII in machine readable format and/or have it sent to another organisation.
- The right to object – Can object to organisations processing their PII.
- Rights in relation to automated decision making and profiling – Protection against targeted marketing and/or decision making.
There are caveats and derogations relating to these rights and there is a lot of detail within the GDPR articles covering these rights, too much to put in this snippet. Suffice to say though, your organisation must have procedures in place that allows for the lawful handling of each of these 8 individuals rights. Any procedures in an organisation will also need to be in line with the 7 GDPR principles, which adds another layer of complexity needing to be considered.
The 12 Days of GDPR snippets are not designed as a guide to make your organisation GDPR compliant, they are just to whet your appetite to get you started. BMGUK Consultancy Ltd has one of the few certified EU GDPR Practitioners in the UK, so get in touch and I can assist your organisation to become GDPR compliant.
What is the GDPR? – It is the new evolution of data protection across the EU. On May 25th, 2018 the General Data Protection Regulation becomes enforceable so if your organisation processes personally identifiable information of any EU resident then you need to be prepared for the GDPR otherwise your organisation could face significant penalties.
From the largest multinational down to the smallest of sports clubs anywhere in the world, if your organisation offers goods or services, even free ones, to EU residents then it is highly likely that your organisation will be required to comply with the GDPR.
Whether your organisation is based in the UK or overseas, get in touch with BMGUK Consultancy Ltd for all your GDPR needs.