rights and breaches
Topics to be covered
- Who is a data subject
- Data subject rights
- Processing children’s data
- Individual rights
- Privacy by design
- How to adhere to the law
- Breach notification
- Summary
- Assessment
Who is a data subject?
A data subject is any living individual who has his or her data collected or processed by an organisation. Everybody at some point in their lives will become a data subject, whether it is because they are applying for a job, booking a holiday or using a bank card. What’s more, browsing the internet can result in disclosing personal data.
Data subject rights
The GDPR sets out rules that help data subjects enforce their rights when there has been a misuse of personal data. Data subjects have the right to:
Access personal data
Data subjects have a right to obtain a copy of the personal data held about them, including information on how it is being collected, used, and processed lawfully. These right covers confirmation of personal data collection and usage, details about the purpose of processing (privacy information), who the data will be shared with, how long it will be stored and why, the source of the data, and receiving a copy of the personal data held.
Rectification
This allows the data subject to have inaccurate information rectified and incomplete data completed. The rectification can be requested verbally or in writing and in some cases, this request can be refused.
Be forgotten
Data subjects can request the deletion of personal data. This can be done verbally or in writing. However, this right is not absolute and only applies in certain circumstances. Some of these circumstances include:
→ the personal data is no longer required for its original processing purpose
→ if the erasure of personal data is required by law
→ if the processing of personal data is for direct marketing purposes
Restrict processing
The processing of personal data can be restricted when:
→ the accuracy of the personal data is questioned
→ the processing is against the law
→ the data is required for a legal situation
→ there has been an objection raised about the processing
Restricting processing is an alternative to the erasure of personal data.
Data portability
When an individual’s personal data is being processed, it must be made available in formats that are easily transferred between different systems. This is the responsibility of the data controller. An example of this would be transferring data from one cloud-based system to another.
This right only applies when:
→ the lawful basis for processing is consent or for a contract
→ carrying out processing by automated means.
Processing children’s data
We deem a child to be anyone under the age of 18. The gdpr states that children’s data requires specific protection. This protection extends to the online processing of children’s data.
When addressing children, it must be in plain and clear language that they can understand. This is because children may be less aware of any risks involved in the processing of personal data.
Transparency is key when processing children’s data. You must raise awareness to a child (and their parents) of the risks of data protection. This can be done by:
→ explaining what will be done with the personal data
→ being open about the risks and safeguards involved
→ advising what to do if they are unhappy
The gdpr requires that children receive age-appropriate privacy notices. They also have the right to have personal data erased; this is particularly relevant when processing is based upon the consent of a child. In the uk only children aged 13 and over can give their consent.
Individual rights
The GDPR provides individuals with rights regarding their data. Organisations must inform individuals how they can exercise these rights and react to any requests promptly. Failure to comply could lead to disciplinary action.
The GDPR provides the following rights:
The right to be informed – organisations must inform individuals what data they have collected, how the data is used, how long it will be held and if it will be shared with any third parties. This information must be given concisely and in plain language.
The right of access – individuals can request access to personal data an organisation holds about them. Organisations must oblige and provide a copy of any personal data they hold concerning the individual. The organisation must provide this copy within one month of the request. There are times when the request can be denied, such as when requests are repetitive or excessive.
Individual rights
The right of rectification – if an individual’s information that an organisation holds on them is inaccurate or incomplete, they can request that it be rectified. Organisations have one month to do this, and the same exceptions apply as the right of access.
The right to erasure – individuals can request that their data is erased in certain circumstances. This can be when the data is no longer necessary and when the data was unlawfully processed. This includes when the individual withdraws consent. The right to erasure is also known as ‘the right to be forgotten’.
The right to restrict processing – organisations can be requested to limit the way it uses personal data. It’s an alternative to requesting data to be deleted. This right may be requested when an individual questions the accuracy of their data or when they no longer need the information but the organisation requires it for legal situations.
The right to data portability – this right can only be applied when the data the individuals provided is by way of contract or consent. It allows data to be easily transferred to other data controllers across different services.
Individual rights
The right to object – if an individual object to the processing of their data, the organisation must present evidence of legitimate grounds that overrides the right and interests of the individual. The processing can also continue if it is for legal purposes.
The right to withdraw consent – data subjects have the right to withdraw their consent at any time. This means organisations must put a plan in place to ensure that the process is simple and effective. The data subject should be informed of this right before giving their consent.
Rights related to automated decision making – individuals have the right not to be subject of automated processing. The gdpr has provisions where decisions are made without an individual’s involvement. Decisions such as profiling uses the information to make assumptions about data subjects. Individuals can request a review of the processing if they think the rules aren’t being followed.
Privacy by design
The gdpr states that organisations are required to have a system in place that implements data protection principles and protect individual rights.
This means that an organisation must consider data protection before any business activities, from the design stage right through the organisation operating.
Privacy by design is about considering privacy issues with everything you do, right from the start. It helps to ensure that you comply with the GDPR fundamental principles.
How to adhere to the law
When we process personal data, steps taken must be reviewed to ensure gdpr compliance. To meet the requirements, organisations must ensure that:
An appropriate mechanism is in place to obtain individuals consent to collect and process their data
This information is lawfully processed
The data is processed for a specific purpose
Only the minimum amount of data is collected and is relevant to the purpose
The data is not kept for longer than necessary
The correct basis is applied to the processing and is in line with the individual’s rights.
How to adhere to the law
→ all personal data is kept safe and secure
→ the personal data is not transferred to countries outside the european economic area unless the data has sufficient protection
If an organisation doesn’t comply with the regulations, then a notice may be served to stop the processing of data along with significant fines. Data protection officers and other employees responsible for compliance can be held criminally liable where non-compliance takes place.