Any fight over a subject access request (SAR) is often caused by ill prepared organisations, missed deadlines, or staff not even spotting that a request from an individual is an official request under the GDPR at all (has your help desk been trained?). Add to that a general reluctance to appreciate that the rights granted to individuals under the GDPR are for the greater good and the fights tend to start. It doesn’t have to be this way.
First, you need to be ready. This means that you are going to need to put in place a structured privacy compliance programme. People in your organisation need to understand what the rights of individuals under the GDPR are. Once they understand, hopefully they will care. And if they care they will do what they need to help. At The Privacy Compliance Hub, we provide a simple platform to make people understand and care. The programme is based upon our unique Eight Privacy Promises. Helping everyone understand those Eight Privacy Promises is our very own Privacy Guy who guides you through what it means and what it takes to comply with the law.
Privacy Promise 5 – We respect the rights of individuals
Or, in other words, we promise to respect the rights of those people whose personal information we process.
What The Privacy Guy needs you to understand
The Privacy Guy needs you to understand that the rights granted to individuals under the GDPR are designed to protect those individuals. The purpose of giving individuals rights is so that they are aware of what personal information you have, what you do with it and also to verify that you are using it in accordance with the legal basis you are relying on to process it.
You need to tell people their rights and how to exercise them. You need to do this in a transparent and easy to understand manner.
The rights granted to individuals under the GDPR are as follows:
- the right to be informed – for example, about what their personal information is used for;
- the right of access – for example, a right to request copies of the personal information being processed;
- the right to rectification – for example, the correction of inaccurate personal information;
- the right to erasure (sometimes called the right to be forgotten) – for example if personal information is inaccurate, or out of date;
- the right to restrict processing – perhaps whilst a request for erasure is being processed or considered;
- the right to data portability – for example, if you want to move your personal information to another provider of the same or similar services;
- the right to object to processing – for example the right to object to direct marketing; and
- the right not to be evaluated solely based on automated decision making and the right in relation to profiling – for example, the right not be refused insurance cover based upon an automated decision without human intervention.