The Privacy Guy – Privacy Promise 5 – Rights of Individuals

You’ve got to fight……... for your right…… privacy. Well, not any more. The GDPR has given individuals plenty of rights which they can exercise quickly and easily. Satisfying those rights is the tricky, time consuming part.

By Nigel Jones

Co Founder of The Privacy Compliance Hub

March 2020

The Privacy Guy - Privacy Promise 5

Any fight over a subject access request (SAR) is often caused by ill prepared organisations, missed deadlines, or staff not even spotting that a request from an individual is an official request under the GDPR at all (has your help desk been trained?). Add to that a general reluctance to appreciate that the rights granted to individuals under the GDPR are for the greater good and the fights tend to start. It doesn’t have to be this way.

First, you need to be ready.  This means that you are going to need to put in place a structured privacy compliance programme.  People in your organisation need to understand what the rights of individuals under the GDPR are. Once they understand, hopefully they will care.  And if they care they will do what they need to help. At The Privacy Compliance Hub, we provide a simple platform to make people understand and care.  The programme is based upon our unique Eight Privacy Promises.  Helping everyone understand those Eight Privacy Promises is our very own Privacy Guy who guides you through what it means and what it takes to comply with the law.

Privacy Promise 5 – We respect the rights of individuals

Or, in other words, we promise to respect the rights of those people whose personal information we process.

What The Privacy Guy needs you to understand

The Privacy Guy needs you to understand that the rights granted to individuals under the GDPR are designed to protect those individuals.  The purpose of giving individuals rights is so that they are aware of what personal information you have, what you do with it and also to verify that you are using it in accordance with the legal basis you are relying on to process it.

You need to tell people their rights and how to exercise them.  You need to do this in a transparent and easy to understand manner.

The rights granted to individuals under the GDPR are as follows:

  • the right to be informed – for example, about what their personal information is used for;
  • the right of access – for example, a right to request copies of the personal information being processed;
  • the right to rectification – for example, the correction of inaccurate personal information;
  • the right to erasure (sometimes called the right to be forgotten) – for example if personal information is inaccurate, or out of date;
  • the right to restrict processing – perhaps whilst a request for erasure is being processed or considered;
  • the right to data portability – for example, if you want to move your personal information to another provider of the same or similar services;
  • the right to object to processing – for example the right to object to direct marketing; and
  • the right not to be evaluated solely based on automated decision making and the right in relation to profiling – for example, the right not be refused insurance cover based upon an automated decision without human intervention.

“What’s great with the Hub is that it’s outlined in a very structured way – how to go about understanding the regulations.”

Peter Edenholm
Chief Operating Officer

Read story

Why The Privacy Guy thinks you should care

In our private lives, we should care what organisations do with our personal information.  For example, if you had been signed off work with post natal depression and that was on your HR record, you wouldn’t want it to stay on your record forever because after a period of time that information would become irrelevant.  You need to be able to check that such information has been removed to ensure the accuracy of the personal information your employer holds about you.

Similarly, if your bank notices that you have an online account with a bookmaker and for that reason profiles you as a high credit risk, you would want to know that was the case.

We should think in the same way when we are at work.  The rights granted to individuals whose personal information we process at work are equally important to us as individuals.  Individuals need protecting and you need to respect their rights.

What The Privacy Guy needs you to do

First, you need to be able to spot a subject access request (SAR) when it arrives.  A SAR is a request from an individual to exercise their rights. This is not always easy to do. Ideally you will have received training which enables you to spot such requests from individuals looking to exercise their rights.  You then need to know what to do with such a request and realise that you have to react quickly because not responding within the strict timeframes set by the law could land your organisation in trouble.

You should also be aware of the need to verify the identity of the person making the SAR.  You do not want to put your organisation in breach of the GDPR by providing personal information to a person who is not entitled to that information.  You need to be aware of the procedures your organisation has for verifying identity.

Finally, you need to know who to ask if you are not sure of how to respond to a request.

Kelly Read – Parish of Credit Kudos explains how The Privacy Compliance Hub has helped her organisation establish and maintain compliance with the GDPR.

Watch video

A culture of continuous privacy compliance

In our view, the only way to ensure that all your staff respect the rights of individuals is to have the right culture in place.  At The Privacy Compliance Hub, we help organisations establish and maintain a culture of continuous privacy compliance by making everyone in an organisation understand privacy, care about privacy and to do their bit to protect personal information.  Our platform contains a structure, a programme, a route map, records, information, reporting and training to enable all organisations to comply with privacy rules including the GDPR and the CCPA.

More to watch and read