General Data Protection Regulation (GDPR) was enforced in 2018. At the time of enforcement it granted every individual eight fundamental GDPR data subject rights. Each had a single common goal – to give every person total control over their individual personal data.
The eight fundamental GDPR Rights Of The Data Subject
Some of the rights already existed but were further enhanced during the 2018 enforcement. Other rights were unique to GDPR, for instance, data portability.
Right To Information Or To Be Informed
This right allows every individual to be aware of:
- What personal data is being collected.
- Why is it being collected.
- Who is collecting their personal data.
- The duration for which the data will be stored.
- How can they file a complaint in case of any breach.
- Who will the data be shared with.
The organization (the data collector) is legally obligated to provide with the above information.
Right To Access
This right allows every individual to present subject data access requests. This allows getting the information from the organization on whether individual personal data or information is being processed.
The organization is legally obligated to present to a copy of individual personal data which they have about the person.
Right To Modification Or Rectification
Right to rectification permits every individual to seek data from the organization to update incomplete or inaccurate data on the individuals.
In the event organization reverts confirming data inaccuracy, then as per the legal requirement, the organization has to respond to the request within a month.
Upon receiving the request, the organization needs to take certain steps to confirm that the personal data is actually inaccurate. Accordingly rectifying the same needs to be conducted.
This particular right creates operational challenges for the company or the organization. This is because rectifying a single data set has much wider consequences on the entire database.
Right To Be Erased Or Forgotten
Right to erase or forget is one and same. The right provides every individual to seek for their individual personal data to be purged/deleted in the event:
- The individual personal data is not necessary to store anymore.
- Any individual chooses to withdraw the consent.
- The individual personal data has been processed illegally.
- An individual raises objection to processing of data and the organization no longer has a reason to process the data.
- If law has mandated deletion of the data then the organization has to comply.
The organization must comply until and unless they can prove that the specific request requires a disproportionate effort or it is just not possible to comply.
Right To Processing Restriction
Every individual can make a request that the organization limits or controls the way in which it uses individuals’ personal data. In simple words, the organization is not legally obligated to erase the data, however, they are obligated to limit or refrain from processing the same.
However, the right can be implemented only in specific situations such as:
- Inaccurate data.
- In the event processing is illegal, but the individual does not wish to erase the data but only wants restrictions.
- The individual does not desire for the data to be deleted but the organization does not want to store it anymore, then the legal right can be exercised.
- The organization is working to verify the data deletion request.
The right protects the individual user’s data as the organization is not allowed to process it without the individuals consent.
Right to Data Migration Or Portability
It is one of the most novel rights amongst all of the data subject rights. It permits individuals to access their personal data. This is with the organization in a commonly used, structured and machine readable data format.
Individuals can make a request to transfer their personal data to another organization. However, it is applicable only to the data which is provided by the individual to the organization by consent. Additionally, it can apply as per the contractual obligation, only if the processing is automated and not done manually.
It is also applicable to behavioral data of individuals. This could include location, webpage history, search history and more.
Right To Object Data Processing
This particular right allows every individual to raise an objection at anytime against processing of their personal data under certain specific conditions. These include the purpose for processing and lawful requirement for processing.
Every individual has the right to halt the processing of their individual personal data used for marketing purposes. They can also raise an objection on the grounds of public interest or their legitimate individual interest.
Read: Top 10 Cybersecurity Strategies For Preventing Data Breaches
Rights With Regards To Automated Profiling And Decision Making
GDPR compliance demand strict regulations and rules when it comes to processing of individuals personal data which is automated and does not involve human intervention.
This covers various types of profiling. This could include evaluation of some personal aspects related to an individual. These could predict or analyze different aspects of an individual’s behavior, economic condition, work performance, health, location and many others.
This right ensures that data is not processed in an automated fashion, if it significantly impacts them legally.
However, automated processing is allowed if it is approved by law, required as per the performance contract, or the individual has given consent.