GDPR: What Rights Do Individuals Have?

So this is the one that matters to all of us. Under the new legislation, businesses must provide a lawful basis before they can process personal data, and this in turn affects an individual’s rights. This is not painful but it is important for companies to consider how these rights will impact their HR data and how they go about obtaining consent to retain and process this data. In this blog we will concentrate on the rights that employees will have when it comes to their personal data.

THE RIGHT TO BE INFORMED

Each member of staff will have the right to be given the information that a company holds on them, how this is being processed and why. This is a reasonable ask and the organisation must do this in a fair and transparent way and a definition of what this means could also be put into this communication. This is generally communicated through privacy notices, as discussed in the previous blog.

THE RIGHT OF ACCESS

Organisations must be able to provide employees with information about what is being processed and also give them access to this data free of charge. Now there will be a cost in time and effort but it must be provided in an acceptable, consistent format in one communication so not in a huge meaningless CSV file. This will mean collating all information into one central point and in one format, be that printed, in electronic format or any other applicable format.

THE RIGHT TO RESTRICT PROCESSING

Personnel will have the right to stop or suppress the processing of personal data, following a similar standard as the Data Protection Act. If the processing is restricted companies may be able to hold the data but will no longer be able to process it. Of course there will regulatory reasons why companies must retain HR data but it important to understand what the impact would be if you are no longer able to process it. In some organisations this may prove to be difficult.

THE RIGHT TO DATA PORTABILITY

Any staff member may obtain their personal data and use this for their own purposes, by allowing them to move, copy or transfer personal data.

THE RIGHT TO OBJECT

Individuals have the right to object to processing in certain circumstances, be that for direct marketing, research, profiling, or matters of interest to the public or the execution of official authority. This is something that could be addressed when someone joins an organisation and regular reviews to check staff are happy with current data processing.

THE RIGHT TO RECTIFICATION

Should any data be deemed to be inaccurate or incomplete people have the right to have this corrected. Any requests for information to be made factually correct must be respond to within one month, unless the request is seen to be complex. Additionally, if this data has been passed on to any third parties then the individual must be informed who this has gone to, why this was done and any correction actions that have been undertaken.

THE RIGHT TO ERASURE

This is also known as ‘the right to be forgotten’. It allows anyone to request that their personal data is deleted if there is no reason to keep it. Therefore, it is important to understand what information must be retained from a regulatory perspective and for how long.

RIGHTS IN RELATION TO AUTOMATED DECISION MAKING AND PROFILING

The GDPR gives protection to individuals to prevent the use of decision making without the intervention of a human being. This enables them to get human intervention, express their viewpoint, be given an explanation as to why this decision was made and ultimately have the opportunity to challenge it.

Additionally, it will no longer be acceptable to carry out automated offers based on specific personal information that could be held on an individual, for example but not limited to their age, demographic or lifestyle.

To read our previous GDPR blog, on What to Consider When Communicating Privacy Information, here.