It is easy to assume that because individual rights existed under the Directive, you don’t have to do anything extra to implement the GDPR. If you are assuming this, you are mistaken. Furthermore, as discussed in an earlier blog, the timing requirements and the reasons for not complying with an individual request are different and you can no longer charge a fee to respond to an individual request. Additionally, as previously discussed, some new rights have been added and some rights that previously existed have changed. So, what changed and what stayed the same?
The right to information preserves the basic right that individuals are entitled to a minimum set of information – the identity of the controller (link), the controller’s reasons for processing (link) personal data (link) and other information necessary to achieve fair and transparent processing of personal data.
The right of access permits individuals to obtain access to their personal data. This right existed under the Directive, but the mandatory categories of information which must be supplied in connection with an access request have been expanded under the GDPR.
The right to rectification permits individuals to obtain correction of any errors in their personal data. This right is largely unchanged in the GDPR.
The right to erasure permits individuals to obtain deletion of their personal data. This right is broader under the GDPR. Under the Directive, the right existed where the controller failed to comply with the Directive. Under the GDPR, the right exists under certain specified circumstances.
The right to restrict processing permits individuals to restrict the processing of personal data under certain circumstances. Under the Directive, the individual had the right to request blocking of data which meant that the controller could not use the data. Under the GDPR, the right to restrict processing means that the data can only be stored by the controller and can only be used for limited purposes. Thus, under the GDPR, there is a broader range of circumstances in which individuals can restrict “processing” of personal data.
The right to data portability permits individuals to transfer their personal data between controllers. The Directive did not directly address this right. Thus, the right to data portability is a new right under the GDPR.
The right to object permits individuals to object to the legitimate interest or public interest legal basis to process (link). The Directive permitted processing to continue unless the individual could show the objection was justified. The GDPR reverses the burden and requires the organization to demonstrate either it has compelling grounds for continuing processing personal data or the processing of personal data is necessary in connection with its legal rights. The right to object to processing for purposes of direct marketing preserves the position under the Directive. The right to object for scientific, historical or scientific purposes gives individuals more specific rights.
This blog is the thirteenth in a series of blogs that describes and explains the eight individual rights set forth in the GDPR. If you don’t want to wait until the next blog to learn more about the GDPR and the individual rights in the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.
Next blog: How do I keep all these rights straight? Are there any commonalities between all these rights?