GDPR - New rules for privacy: Four new rights of the individual
The changes introduced by the GDPR in 2018 are substantial and aim for a higher level of data protection. The Regulation is again a wide-ranging piece of legislation passed by the EU and introduces new concepts like the ‘right to be forgotten’ and data portability (to call out only a few) which will take some getting used to.
The four new rights for the individual are:
- Rectification, this concerns the right to see your own data and to have it rectified;
- Erasure, popular under the term “right to be forgotten” as this concerns the right to have your data erased;
- Data Portability, which is the right to have your data transferred to a different processor/controller;
- Objection for direct marketing concerns the right to have a controller and processor stop processing for the purpose of direct marketing.
I have listed an overview of the key requirements from two perspectives, the individual rights and the obligations of the organisation.
The rights of the individual:
- Rectification (NEW)
- Erasure (NEW)
- Data Portability (NEW)
- Objection –Absolute for direct marketing (NEW)
- Restrict processing (put on hold)
- Automated decisions and profiling
- Access to data
- Remedy from supervisory body/court
- Compensation for Damage
- Compensation for Distress
|The obligations of the organisation:
- Consent harder to obtain/prove
- Privacy notices more detailed/clearer
- Proactively Demonstrate Compliance
- Breach Notification (72 hours) -To individual and regulator
- Appointment of Data Protection Officer (250+, or high-risk processing)
- Privacy by Design
- Privacy Impact Assessments
- More obligations for Processors (Joint Controllership)
USoft has tools for the Privacy Impact Assessment (SMART PIA) and for full traceability URequire GDPR and developed an approach to facilitate compliance to the GDPR.
- Ensure that relevant departments know that the law is changing, and anticipate the consequences of GDPR.
- Document what personal data is retained, what the sources are and with whom it is shared.
- View current privacy notices, and make any necessary changes.
- Identify and document the legal basis for any type of activity of the data processing.
- Make sure that the procedures are in place to detect, report and investigate data breaches.
- Assign a data protection officer, who takes responsibility for compliance with the principles and rules regarding the protection of personal data.
Call or email for more information: