Tag: Personal Data

DATA, INFORMATION MANAGEMENT

Our DATA, Our Rights!

Lavanya Madras Purushothaman

I recently had an opportunity to work on a very interesting GDPR (General Data Protection Regulation) project to ensure our client is fully GDPR compliant.  It was an exciting journey, and today, I am here to share my knowledge on what it means for an individual when it comes to GDPR policy and what are our data rights!

Firstly, what is GDPR?

GDPR (General data protection regulation) policy is a data protection policy came into effect in the UK on 25th May 2018 which applies to all organisation located in EU and also to all organisation outside EU if they offer goods and services subject to EU data.  In a nutshell, GDPR applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

All organisation should be GDPR compliance by ensuring that all the personal data that are stored and processed follows the key seven principles such as Lawfulness, fairness and transparency, Accuracy, Data minimisation, Integrity and confidentiality (security), Accountability, Purpose limitation and Storage limitation. 

Personal data in terms of GDPR:  This is a piece of information that relates to an identified or identifiable individual.

The organisation not compiling with GDPR will face a financial penalty which could be a maximum fine of 4% of their annual global turnover or €20 Million. 

But what does this policy mean to an individual’s?

While all organisation is taking all action to ensure they compile with the GDPR policy, on the other hand, it is equally vital for an individual to know how organisation use our personal data and what are our rights on our data. 

But why? Well, because today we live in a data-driven world, where our personal data such as name, email address, telephone number, address etc. are collected at various circumstances by various organisation for a distinct purpose.  For example, our personal data gets collected when we make an online application, online booking and reservation for a hotel, flights, posting on social media, data sharing/transferring, browsing various websites etc. 

So, below are the eight rights for individuals on their personal DATA!

1. Right to be informed:  

Should we be informed when an organisation collects my data?

The answer is, BIG YES! When an organisation collects the personal data, it should provide the individual with the privacy information.  If an organisation received our information from a different source, they should still provide us with a privacy notice within one-month time.

So, what are the information that should be included in the ‘privacy information’?

The privacy policy should include information on the below two key items:

  • Personal data:  Organisation should inform us if they collect and process our personal data. We should be informed on the list and type of our data used, how long our data will it be retained along with the retention purpose. If the data is used in profiling. 
  • Data sharing/receiving: Organisation should inform us if our data are shared with 3rd parties or overseas countries. In which case they must also provide with the information on the 3rd parties or the country name to which our data is shared with along with the purpose for sharing our data and the ways it is intended to be processed.

Additionally, the organisation should let us know as to how to contact them and our rights to complain to ICO.

2. Right to Access:  

As an individual, we have the right to know if an organisation is processing or storing our personal data. 

We can make the request to the organisation either verbally or in written to restrict access to your data.

3. Right to rectification:  

If the data held by the organisation is inaccurate or incomplete, then as an individual, we have the right to correct and rectify them by contacting the organisation.

Can the organisation refuse to comply with the request for rectification of data?

Yes, the organisation could refuse to rectify the data in certain circumstances, such as if the request is repetitive in nature. In these cases, the request could be rejected, or the organisation could charge a reasonable fee to process a request.

If the request is rejected, then the individual should be notified on the reason of rejection and informed on their right to make complain to ICO (Information commissioner’s office). 

4. Right to erasure: 

GDPR introduces the right for the individual to get their personal data held by the organisation to be deleted, which is also called as “the right to be forgotten”.  However, this request is not absolute, and the right only applies in the circumstances such as

  •     Your company do require to hold your data,
  •     You have withdrawn your consent.
  •     When the organisation processed data unlawfully.

5. Right to restrict processing:

As an individual, we have the rights to limit the ways an organisation could process the data.   In this case, an organisation can still store the data but could be restricted for the ways it can use the data. Restriction to processing the data is only temporary, and this can be lifted once it is found ok to do so. But the organisation should inform the individual before the lifting of the restriction. 

6. Right to data portability:

This right is to allow individuals to transfer their personal data (only to the data that the individual provides content to) from one system to another in a secure way enabling us as a user to use our personal data across various services. 

We can request an organisation to transfer all our electronic data from their system to another.  This data includes not only the data that an individual has provided but also other information the organisation would have collected such as

  • Data collected by wearable device or any device that collects data
  • Information collected on your location
  • Search and website history etc.

7. Right to object:

The next right is the right to object/stop our personal data being processed by an organisation for certain circumstances such as direct marketing and sales etc.  When individual requests to object, an organisation should stop using our data unless otherwise, they can provide with the valid reason to proceed/continue processing the data.

8. Rights related to automated decision making including profiling:

There are two other ways our data is used

  • Automatic decision making without any human intervention
  • Profiling, which means our information is used to analyse us.  E.g. Using your data to analyse your interests etc. for further marketing purpose.

Unless there is an ultimate necessity or have consent from the individual, the organisation cannot carry out the profiling.  The organisation should also make sure that the individual is informed on the processing. 

Requesting the organisation: 

As an individual, we have all the above right, and we can request any of the above to an organisation either verbally or by written for which the organisation should respond back within one calendar month.  The service is free of charge in most circumstances, but there could be a minimal fee under certain circumstances, such as if it is an excessive or repetitive task.

And finally, we have reached to the end of this post…. Once again just to remind you all; We live in a data driven world, and it is essential to be aware of our data rights! So always remember ……..

Our DATA, Our Rights!