GDPR 8 Rights - What Your Team Needs to Know
The count-down to GDPR continues, with only a few weeks now before the implementation date. If you are an avid reader of our articles you will be aware, in my opinion, that firms should concentrate on the 8 rights more than the 6 principles under GDPR, as the 8 rights mark a significant shift from the previous data protection legislation.
I will caveat the above. It’s also imperative that you follow the accountability principle, supplier management, new breach reporting rules and implement privacy by design and default as well as properly using DPIA’s. We can give you further information, including DPIA templates, on these areas but this article will focus on the 8 rights and what your front line staff members should know.
Right to be informed
The right to be informed is the idea that those who have data processed about them are educated by the data controller as to the fact that data is processed, the extent to which processing occurs, why processing is taking place and a range of other information, such as, how to execute their rights. Usually the right to be informed will be completed via a fair processing notice / privacy notice. Your team need to know this. First line agents also need to be aware of whether it is your firm or another which provides the notice to the customer (remember it is the controller who must send it). Importantly, your team need to be able to discuss the manner in which data is processed with the customer; it should be noted the requirement to be informed extends beyond the written information notices to providing the same information upon request.
Right to access
Similar to the right of subject access we have today, the right to access slightly expands the information the data subject can request, shortens the timescale to thirty days and removes the fee payable. Staff need to understand this and be able to follow internal processes to raise the request following a verbal request from a data subject; remember it is a right to raise the request verbally. Staff must be trained not to demand that requests are placed in writing!
Right to rectification
This right is about having incorrect data, well, corrected. There is a nuanced difference between the data subject simply calling in to inform you of, say, a new address and someone invoking their right to rectification, which requires a response from the firm. Staff must be trained to recognise this difference and follow the correct procedure. They must also understand the timescales involved so they manage the customer’s expectations accordingly.
Right to object
This right only applies in certain situations and staff must be aware when it does and doesn’t apply. Where it does they need to be able to inform the customer that a response will be provided within 30 days and be able to follow internal processes.
Right to restrict
Front line agents will need to understand the definition of the right and be able to follow due process where a request to restrict information has occurred and is valid. Again, capability of following internal processes is paramount.
Right to be forgotten
The real “headline” of GDPR is the right to be forgotten, or the right to erasure to be correct. A higher proportion of the public is aware of this right and, in turn, it is the most mis-interpreted area. For one, many believe it applies no matter the legal basis for processing. As a result, firms can expect many requests to be forgotten where compliance is not required. Staff must be aware of when and why the right to be forgotten applies and be able to explain this to data subjects. Where it does apply, they must be able to follow internal processes to complete the action properly.
Right to portability
Again this right has fairly limited application depending on the type of processing taking place and the type of controller undertaking the processing. Staff must be aware of whether it applies and how to follow internal processes – where the right does apply.
Rights in relation to automated decision making and/or profiling
Similar to above, this right depends on the nature of the business processing the data and how they do so, for example, the consequences of the processing and whether human intervention is already part of the process. But, generally, staff will need to be aware of the right, when it does/does not apply and be able to converse with data subjects about this.
So, what next….
Firms should have now created their relevant processes for each right and be in the process of training these to their team members. To help we have created template documents and training material. You can download training material and a template GDPR Policy as part of our GDPR Pack available on our website
If you need any further assistance or consultancy for your GDPR implementation, simply contact us for further information. A range of our services is set out below:
Template Policy - £400
DPIA - £400
Privacy by Design - £400
8 rights processes - £50 each
Review of your position - £400