Have a plan in place to respond to people's rights regarding the personal data you hold about them
You need to have a system in place to ensure you can cover all the rights individuals have, including how you would delete personal data or provide data electronically if requested.
On the whole, the rights individuals have under the GDPR are the same as those under the 1998 Data Protection Act but with some significant enhancements. If you are geared up to give individuals their rights now, then the transition to the GDPR should be relatively easy.
This is a good time to check your procedures and to work out how you would react if someone asks to have their personal data deleted, for example. Would your systems help you to locate and delete the data? Who will make the decisions about deletion?
The GDPR includes the following data protection rights for individuals:
The right to be informed
Individuals have the right to know why and how their personal data is being processed. You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. This is called ‘privacy information’ or a ‘privacy statement’. Having a good privacy notice will help make sure you’re protecting this right
The right of access
Under current data protection law, people already have the right to ask you for a copy of all the information you hold about them. This is called a subject access request.
The right of individuals to access their personal data does exist under the GDPR. So, you need to make sure you have processes in place that allow you to provide this information to the individual making the request. Under the new law you’ll need to provide the information within one month.
A calendar month ends on the corresponding date of the next month (eg 2 January to 2 February), unless that date does not exist in which case it is the last day of the next month (eg 31 January to 28 February).
This means that the legal deadline will vary from 28 days to 31 days depending on the month. For practical purposes if a consistent number of days is required (eg for a computer system), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.
A copy of the requested information must be provided to the individual free of charge unless the request is what the law calls ‘manifestly unfounded or excessive’, in particular if it is repetitive. If you decide to charge a fee, it must be based on the administrative cost of providing the information.
If you refuse, you must tell the person why and let them know they can complain to the ICO or seek a judicial remedy. You have to do this as soon as possible and within one month.
The right to rectification
Individuals have the right to have their information corrected if they believe it is factually inaccurate – this is known as the right to rectification.
The right to erasure
The right to erasure is also known as ‘the right to be forgotten’. In certain circumstances, it allows people to instruct organisations to delete or remove their personal data.
For example, if your website holds photographs your members at camp and 20 years later the photo is still there the individual can ask for the picture to be deleted.
If you receive a request for the deletion or removal of personal data, you must consider the grounds for the request and decide whether you should comply or whether the law allows you to refuse.
The right to restriction of processing
In certain circumstances, individuals have a right to stop you processing their personal data. Where this right applies (eg if the individual contests the accuracy of the data or the processing is unlawful), you are still allowed to store the personal data but must not use it for any other purposes unless certain conditions apply.
In most cases the restriction will not be in place forever, but for a limited time; for example while you consider the accuracy of the data or review whether you have legitimate grounds to override the objection.
The right to data portability
This is a new right that lets people get hold of and re-use their personal data for their own benefit across different services. It applies:
- to personal data a person has given you
- when you are processing that data on the basis of consent or for the performance of a contract
- when the data is being processed by automated means. For example, a Scout wants to move Scout Troops and take their badge records to the new Scout Troop
You will need to provide the personal data in a structured commonly used and in a machine readable form and provide the information free of charge.
The right to object
Individuals have the right to object to the processing of their personal data for several reasons. In particular, you may receive an objection to your Scout Group sends direct marketing to a supporter. If this happens, you must stop using their personal data for any direct marketing purposes.