The simple version is people have certain rights on how you use their data.
People suffer when their data is lost, stolen or abused, and it’s up to you to make sure the information you hold about them is safe.
There are eight data subject rights:
The right to be informed
You need to tell people what data is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties. This information must be communicated concisely and in plain language.
If anyone has any doubts about how their data is being used, they can exercise their second data subject right.
The right of access
Organisations have one month to produce this information, although there are exceptions for requests that are manifestly unfounded, repetitive or excessive.
The right to rectification
If a person discovers that the information an organisation holds on them is inaccurate or incomplete, they can request that it be updated.
As with the right of access, organisations have one month to do this, and the same exceptions apply.
The right to erasure
People can request that organisations erase their data in certain circumstances, such as when the data is no longer necessary, the data was unlawfully processed, or it no longer meets the lawful ground for which it was collected. This includes instances where the individual withdraws consent.
The right to erasure is also known as ‘the right to be forgotten’.
The right to restrict processing.
People can request that an organisation limits the way it uses personal data.
It’s an alternative to requesting the erasure of data, and might be used when an person contests the accuracy of their personal data or when the organisation no longer needs the information but the person requires the organisation to keep it to establish, exercise or defend a legal claim.
The right to data portability
People are permitted to obtain and reuse their personal data for their own purposes across different services. This right only applies to personal data that a person has provided to data controllers by way of a contract or consent.
The right to object
People can object to the processing of personal data that is collected on the grounds of legitimate interests, or the performance of a task in the interest/exercise of official authority.
Organisations must stop processing information unless they can demonstrate compelling legitimate grounds for the processing that override the interests, rights and freedoms of the person, or if the processing is for the establishment, exercise or defence of legal claims.
Rights related to automated decision-making, including profiling
The GDPR includes provisions for decisions made with no human involvement, such as profiling, which uses personal data to make calculated assumptions about people.
There are strict rules about this kind of processing, and people are permitted to challenge and request a review of the processing if they believe the rules aren’t being followed.