Understand people's rights

The GDPR includes the following data protection rights for individuals:

The right to be informed

  • Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.
  • You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.
  • You must provide privacy information to individuals at the time you collect their personal data from them.
  • If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.
  • There are a few circumstances when you do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.
  • The information you provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.
  • It is often most effective to provide privacy information to people using a combination of different techniques including layering, dashboards, and just-in-time notices.
  • User testing is a good way to get feedback on how effective the delivery of your privacy information is.
  • You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual’s personal data to their attention before you start the processing.
  • Getting the right to be informed correct can help you to comply with other aspects of the GDPR and build trust with people, but getting it wrong can leave you open to fines and lead to repetitional damage

The right of access (to see the data you hold on them)

Under the GDPR, individuals will have the right:

  • to access their personal data and supplementary information

  • of being aware of and verify the lawfulness of the processing.

See our page on dealing with Data Subject Access Requests at the bottom of this page. 

Click here to download our Data Subject Access Request procedure template

The right to rectification (to update)

Individuals have the right to have their information corrected if they believe it is factually inaccurate – this is known as the right to rectification.

Click here to download our Data Subject Correction Request procedure template

The right to erasure (to be forgotten)

The right to erasure is also known as ‘the right to be forgotten’. In certain circumstances, it allows people to instruct organisations to delete or remove their personal data.

For example, if your website holds photographs your members at camp and 20 years later the photo is still there the individual can ask for the picture to be deleted.

Click here to download our Data Subject Deletion Request procedure template

The right to restriction of processing (to stop you)

In certain circumstances, individuals have a right to stop you processing their personal data. Where this right applies (eg if the individual contests the accuracy of the data or the processing is unlawful), you are still allowed to store the personal data but must not use it for any other purposes unless certain conditions apply.

In most cases the restriction will not be in place forever, but for a limited time; for example while you consider the accuracy of the data or review whether you have legitimate grounds to override the objection.

 

The right to data portability (to a copy of their data)

This lets people get hold of and re-use their personal data for their own benefit across different services. It applies:

  • to personal data a person has given you
  • when you are processing that data on the basis of consent or for the performance of a contract 
  • when the data is being processed by automated means. For example, a Scout wants to move Scout Troops and take their badge records to the new Scout Troop

The right to object (to say no)

Individuals have the right to object to the processing of their personal data for several reasons. In particular, you may receive an objection to your Scout Group sends direct marketing to a supporter. If this happens, you must stop using their personal data for any direct marketing purposes.

On the whole, the rights individuals will enjoy under the GDPR are the same as those under the 1998 Data Protection Act but with some significant enhancements. 

Click here to download our Data Privacy Management procedure template 

 

Click below for more information on...