• ISO55001 Asset Management
    System (AMS)
  • ISO9001 Quality Management
    Systems (QMS)
  • ISO14001 Environmental Management
    Systems (EMS)
  • ISO50001 Energy Management
    Systems (EnMS)
  • ISO45001 Health & Safety Management
    Systems (OHASMS)
  • ISO27001 Information security
    management systems (ISMS)

How Will the GDPR Change Individuals’ Data Protection Rights?

01 Dec 2017

For the most part, individuals’ data protection rights will be the same as they are under the current Data Protection Act but with significant enhancements. The GDPR will also introduce new rights.  There will be the ‘right to erasure’; individuals can have their data deleted upon request.   The GDPR will also introduce the ‘right to data portability’ which allows data subjects to access and move their personal data from one IT environment to another.  Organisations will need to put policies and procedures in place to accommodate these new developments. 

What are individuals’ data protection rights under the current Data Protection Act?

At the moment individuals have the right to restrict or block the processing of personal data when the information is only needed for specific legal purposes, inaccurate, or when they have objected to data processing and this claim is currently being investigated by the data controller. Individuals also have the right to:

1. Object.

The data subject can object to the processing of their personal data when it’s being used for the purpose of direct marketing.Access. When requested, the data controller must provide a copy of personal data without excessive delay and for a fee.

2. Rectification and erasure.

The data subject can exercise these rights if the data is incomplete, inaccurate or not being processed in compliance with the Data Protection Act.

3. Not be subjected to solely automated processes.

This is when processing an individual’s data results in a decision which significantly affects them in some way.

4. Fair and transparent information.

This means that an organisation’s privacy policy must detail the identity of the data controller, the purposes for processing the personal data and any information necessary to enable processing to be fair in the organisation’s specific circumstances.

How will the GDPR extend these existing data protection rights?

The right to object has been extended to include not just direct marketing but processing that is:

  • based on legitimate interests or the performance of a task in the public interest including profiling.
  • for purposes of historical or scientific research or statistics.

Access to personal data must now be provided free of charge and within one month of request. Data controllers will also be required to provide additional information to individuals such as the retention period of the data. Organisations will need to put systems in place to cope with these requests.

Requests for rectification of data must be responded to within one month but can be extended to two months if the issue is complex.

Individuals can request data erasure simply by withdrawing their consent – there are certain exceptions such as when the data is being held for public health purposes or public interest.

An individual’s right to fair and transparent processing has been strengthened. The GDPR requires that privacy information is communicated in clear, plain language – it is no longer enough to provide a long-winded privacy policy. The privacy policy must communicate the GDPR changes to individuals’ data protection rights.

What are individuals’ new data protection rights under the GDPR?

1. The right to erasure.

Individuals will have the right to erasure when:

  • data is no longer required for the original purpose
  • the data subject has withdrawn consent and there are no other grounds for processing the data
  • the data subject has objected to the processing
  • legal obligations require erasure of data
  • processing is unlawful.

If the data controller has provided personal data to a third party then they must take reasonable steps to inform third party controllers that the data subject has requested erasure.

2. The right to data portability.

The GDPR introduced this right so that individuals are no longer locked in to a specific service provider. The data controller must store information in a commonly used format for easy transference to another IT environment.

How can you prepare for these GDPR changes?

1. Update your privacy policies to make sure that new and extended rights are incorporated and that they are communicated in accessible language.

2. Assess whether you need to establish new procedures to cope with the practical implications of the extended and new rights. For instance, how will you deal with access requests? How will you take stes to erase data that has been shared with third parties?

3. Plan how your staff, operational processes and IT systems will need to adapt to accommodate GDPR changes to individuals’ data protection rights.

4. Develop your employees’ awareness of the GDPR requirements, how to implement your GDPR action plan and how to plan your internal audit cycle.

ISO 50001 audit tool

© Copyright All Rights Reserved, NDC Certification Services Ltd. 2021