Rights of Individuals Under the GDPR
The EU’s General Data Protection Regulation goes into effect on May 25, 2018. GDPR replaces the EU Data Protection Directive. GDPR can apply to US-based businesses even if they do not have offices or employees in the EU. It can also reach activities conducted outside the EU.
The Directive did not regulate US businesses unless the collection or processing occurred within the EU (e.g., if a US-based company had a data center in the EU). Now GDPR clearly has stronger extraterritorial reach than its predecessor.
Businesses collecting and using personal data should know their GDPR obligations. Violators of GDPR face steep penalties. Regulators can fine a company up to 20,000,000 euros or 4% of worldwide annual turnover, whichever is higher.
The GDPR provides enhanced rights for individuals. Below we summarize the general principles companies must follow when interacting with individuals and we identify the specific rights granted to individuals under the GDPR. We also suggest some practical steps to assist your company’s compliance with this portion of the GDPR.
Your information and communications with individuals must be concise, transparent, intelligible, accessible and in clear/plain language.
Rights can be exercised free of charge, unless manifestly unfounded/ excessive.
You must respond to requests and provide information promptly and, generally, within one month (exemptions may apply).
Right of access to personal data. An individual has the right to access personal data held by an organization.
Right of rectification. An individual has the right to request the correction of personal data held by an organization to the extent that it is inaccurate or incomplete.
Right to data portability. An individual has the right (in certain circumstances) to obtain personal data in a format to allow them to transfer it from one organization to another.
Right to withdraw consent. An individual has the right to withdraw consent at any time, and the process to withdraw consent must be as easy as the process to give consent.
Right to object. An individual has the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling). This right also applies to direct marketing and processing for purposes of scientific/historical research and statistics.
Right to restrict processing. An individual has the right (in certain circumstances) to “block” or suppress the processing of their personal data.
Right to object to automated decision making (including profiling). An individual has the right (in certain circumstances) to object to automated decisions (including profiling) based upon the processing of personal data and request human involvement.
Right to erasure/to be forgotten. An individual has the right (in certain circumstances) to request the deletion of personal data where there is no compelling reason for its continued processing.
Other rights: An individual has the right to: complain to the data protection regulator; judicial remedy against a controller/ processor; representation (by consumer bodies/watchdogs); and compensation from controller/processor.
Notification of rectification, erasure or restriction. If an individual asks you to erase personal data, restrict processing, or rectify incomplete or inaccurate personal data, you must notify any other organizations who you disclose the individual’s personal data to (unless this is impossible or involves disproportionate effort).
Review, create and/or update protocols for dealing with individual rights. Ask and answer questions such as: Can we respond to requests within a month? Will we need any assistance from our processors?
Ensure existing and new internal systems (HR, IT, etc.) are designed to give effect to and comply with these rights. Ask and answer questions such as: Do we have the ability to correct data? What is the process if an individual requests a copy of their data?
Review and update your existing communications with individuals. Ask and answer questions such as: Are our public facing policies (e.g., privacy policies) and communications concise, transparent, intelligible, accessible and in clear/plain language?