New video alert: Privacy Promise 5 is the rights of individuals

We’ve created a series of short animations that break down each of our 8 Privacy Promises. Here’s number five

By Nigel Jones

Co Founder of The Privacy Compliance Hub

January 2022

In September 2021, Austrian Post was hit with the country’s largest GDPR fine to date. The organisation received a €9 million fine for failing to facilitate data subject rights requests properly. Requests were only possible via a web form, post, or phone – email wasn’t supported. The Austrian DPA regulator ruled the mail carrier should have allowed people to submit requests via any medium they preferred. 

Handling subject access requests (SARs) incorrectly can lead to considerable fines. Under the GDPR (and UK GDPR), individuals have the right to know what personal information organisations have about them and what they’re using it for. Mistakes are often made when organisations aren’t prepared, when they miss deadlines, or don’t recognise that the request falls under the GDPR at all. 

In the fifth of our short training videos, the Privacy Guy highlights just why this right is so important. He asks you to imagine you got in with the wrong crowd when you were younger and got a conviction for criminal damage. It was over 20 years ago but your friend has come across a database that shows your conviction and shows it to people, putting you in an awkward position. Or perhaps you do some online research on a job applicant at work and find out he was convicted for drug possession in his 20s while working as a DJ. After not getting the job, he files a SAR because he suspects the decision wasn’t fair. 

Your free and simple GDPR compliance audit is an online privacy health check provided by our experts. It’s confidential, comprehensive, and takes just 10 minutes to complete.

Take our free GDPR compliance audit

Under the GDPR, individuals have the right to be informed about what their personal information is being used for; the right to request copies of their data; the right for inaccurate personal information to be corrected; the right to erasure (sometimes called the right to be forgotten); the right to data portability; the right not to be evaluated solely on automated decision making, and more. 

First, you need to be able to spot a subject access request (SAR) when it arrives. You then need to know what to do with such a request and to react quickly, because there are strict timeframes set by law. You should also be aware of the need to verify the identity of the person making the SAR. You do not want to put your organisation in breach of the GDPR by providing personal information to a person who is not entitled to that information. Finally, you need to know who to ask if you are not sure of how to respond to a request.

More to watch and read