What can individuals expect from organisations that process and store their information under GDPR? The detail of what is stored varies from organisation to organisation, but general principles apply.
It is important to remember that as an individual any documentation (like privacy policies) provided by an organisation has to be written in plain language. Jargon should be minimised and although there are some legal terms that will always need to be used, these should be explained to the individual so that that individual understands the impact to them.
The diagram below gives you the basic information that an individual should be aware of when agreeing to undertake business with an organisation.
At the start of any business arrangement the organisation should tell the individual what information is being collected, why it’s being collected and when it will be erased (in principle). In general, this is usually very simple explanation. The full details should be in the terms and conditions made available by the organisation. As an example, why would someone need to provide details about their health to a property salesperson? Never you might say, however, there may be some properties that do not provide wheelchair access and so not appropriate to someone with those specific needs.
An individual always has a right to know what personal information an organisation is storing on them. The process to get to this information is called a “Subject Access Request”. These can be made in any form that the original relationship was formed, e.g. verbal, online, letter/contract, but is best requested in a form that can be easily evidenced, e.g. email, or letter.
The organisation has one month to supply the specific information requested by the individual, or every piece of information if requested by the individual (this would include any the organisation has added as notes to their information).
An individual always has a right to have their data recorded accurately within, and by, the organisation. This can take many forms, e.g. address changes, email account changes, mobile number changes, but it should always be responded to by the organisation via a medium that has not yet been changed by the individual.
Furthermore, if an organisation is made aware of a change in the detail of an individuals data, they also have a responsibility to change it. How any times do you go to use a payment card in an online transaction only to be told that you need to enter new details – for example,the card expiry date has been reached. This is the right of rectification being actioned in this way. From their own data the organisation knows that the expiry date on the payment card has been reached and prompts the individual for new details.
Once a request has been made to change information, it should be completed within 30 days.
An individual always has a right for their personal information to be removed from the records of an organisation (in whole or part), unless there is a requirement to hold them for some legal purpose. In principle, this would include the automatic removal of an account following long periods of inactivity, e.g. a number of years. So, if an individual dies and there is no-one to request removal of their details from the records of a company there should be a process to remove them. This is not realistic for many smaller companies unless they have already built in a review process in line with their Data Policy.
Once a request has been made to remove information (or that it has been identified from internal processes), it should be completed within 30 days.
Like the “Right of Rectification”, this right can also be originated by either party, but this time with equal responsibility! Obviously an individual can request an organisation to restrict processing, like unsubscribing from marketing, but not wanting to close their account completely.
An organisation has the obligation to, from other data it has received, restrict processing if they feel it could make personal data of an individual unsafe.
As an example of this, the receipt of a subject access request, if detailed enough, can stop the organisation utilising all, or part, of an individuals’ data in their processes.
This right is restricted to protect the individual with processes that require no human intervention and happen completely automatically. In these cases, individual processes, can be transferred from one organisation to another on your request and the original organisation cannot contest it.
The typical case that happens in daily life is the transfer of standing orders and direct from one bank to another as you change bank accounts.
This right combines with other rights, like restrict processing (especially when direct marketing is involved in the process). As an example, and perhaps a little obscure, if you do not want to receive a birthday message (or some other anniversary) from your social media site, you should know of the mechanism to stop the notification being sent to you. This obviously isn’t direct marketing, but it may be something that you do not want advertised anymore. For direct marketing, see the explanation in “Restrict Processing” above.
This right can be obscure, in my opinion, and challenges some of the important work being completed on AI and automation. As you can imagine, there are some individuals that do not want to have critical decisions undertaken only where the view of an automated script makes those decisions, while other are comfortable with it. Some examples of where this might happen are, bank loans, job applications through job boards, and there are plenty of other to. As an individual you have the right to request another review, completed using human intervention to determine the outcome.
There is so much more information available, some of it very detailed. Please look through the other blogs and see if the information you want is provided.
If not, we would be pleased to answer your enquiry through firstname.lastname@example.org , or visit
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ for more information direct from the ICO.