But it’s not only organisations that will have to pay closer attention to the way personal data is collected. Individuals’ new and strengthened rights under the GDPR will make them think about the way their data is being collected and used in a way they perhaps never have before.
People will be given more information
When the GDPR takes effect on 25 May 2018, individuals are going to be given frequent, in-depth and transparent notices from organisations looking to collect their data. This is because the Regulation strengthens people’s right to be informed and makes changes to consent requirements.
Such notices will probably become standard practice online, meaning individuals will be regularly reminded of how much organisations rely on their data.
The same will be true of any data collection practice that relies on consent. All consent requests must be clear about people’s options to consent to different types of processing, and which organisations and third parties will be relying on their consent.
Consent requests must also meet other criteria, but, crucially, consent must be given with a clear affirmative action.
It’s worth noting that consent is only one of six lawful grounds for processing data, and it’s the least preferable for organisations. Therefore, organisations should only rely on it if none of the other grounds apply.
Individuals can communicate with organisations
The GDPR makes it easier for individuals to have their data rectified, restricted or erased. It enforces this through four rights.
The first is the right to object, in which individuals can contest:
- Processing based on legitimate interests or the performance of a task in the public interest or through an official authority. If an individual contests this, the organisation must stop processing their data unless it can demonstrate compelling legitimate interests for the processing, or if the processing is for the establishment, exercise or defence of legal claims.
- Processing for the purposes of direct marketing. If an individual objects, the organisation must stop processing their personal data immediately.
- Processing for scientific or historical research and statistics. Individuals can only object to this type of processing if they have “grounds relating to his or her particular situation”.
The second is the right to rectification, which applies when the information an organisation holds is inaccurate or incomplete. Individuals are entitled to contact the organisation and request that this information be updated.
The third is the right to erasure (also known as the right to be forgotten), in which individuals can request that an organisation deletes the data it holds on them if:
- It’s no longer needed for the purpose that it was originally collected;
- There’s no overriding legitimate interest for continuing the processing;
- The personal data was unlawfully processed;
- The personal data must be erased to comply with a legal obligation; or
- The personal data is processed for an information society service provided to a child.
If an individual consented to the processing of their data, they are entitled to withdraw that consent and therefore request the removal of any data that relied on that basis.
The fourth is the right to restrict processing. When processing is restricted, organisations can keep hold of the data, but they can no longer process it.
Individuals may exercise this right if they believe the data is inaccurate or they object to the processing on the grounds of legitimate interest or the performance of a public task. In these circumstances, processing should be suspended until the matter is resolved.
Individuals may also exercise this right if the processing is unlawful, but they prefer restriction to erasure, or if the organisation doesn’t need the personal data any more, but they require the data to establish, exercise or defend a legal claim.