data rights

How to protect the rights of data subjects

In eLearning Basics by Orlagh Cramp

GDPR can seem daunting to get your head around. In our previous blog, GDPR Fundamentals, we introduced the major changes that GDPR has brought to organisations. Now we are going to walk you through ten ways you have to protect the rights of people giving you their data so you can adhere to the new legislation and avoid costly fines.

Access and portability: Let people access their data and give it to another company.

  • The Right of Access is an important right for individuals, allowing them to obtain
    information about the kinds of data organisations process about them, and to verify
    that the information is accurate and up to date.
  • Here is a guide from the Irish Data Protection Commissioner to bring organisations through the process of responding to an access request.

Childrens data: Collecting data from children under 16?

  • Under the GDPR you must ensure that you have adequate systems in place to verify individual ages and gather consent from guardians.
  • However, each EU Member State can lower this threshold to between 13 and 16 years of age, so check the age limit.

Communication: Tell them who you are when you request the data.

  • Say why you are processing their data, how long it will be stored and who receives it.

Consent: Consent is one of the legal grounds for processing data.

  • Consent should be given by a clear affirmative action.
  • Consent can be retracted at any stage and should be as easy to do as the granting of the consent itself.

Data transfer outside the EU:

  • Make legal arrangements when you transfer data to countries that have not been approved by the EU authorities.

Erase data: Give people the ‘right to be forgotten’.

  • Erase their personal data if they ask, but only if it doesn’t compromise freedom of expression or the ability to research.
  • It gives people the right to have outdated or inaccurate personal data to be removed and has, in some instances, already been implemented by companies like Google, who were forced to remove pages from its search engine results in order to comply.

Marketing: Give people the right to opt out of direct marketing that uses their data.

  • A unsubscribe link should be included in all email marketing efforts.
  • Avoid collecting any unnecessary data and stick with the basics.

Profiling: If you use profiling to process applications for legally-binding agreements like loans you must:

  • Inform your customers; Make sure you have a person, not a machine, checking the process
  • If the application ends in a refusal; Offer the applicant the right to contest the decision.

Safeguarding sensitive data: Use extra safeguards for any information that is clearly about a particular person.

  • This includes information on health, race, sexual orientation, religion and political beliefs.
  • It should only be kept on laptops or portable devices if the file has been encrypted and/or if a pseudo name us used. 

Warnings: Inform people of data breaches if there is a serious risk to them. A data breach is a situation in which confidential data are lost, are wrongly changed, are made public, or fall into the wrong hands. 

  • The GDPR requires that the controller must report any data breaches that could constitute an infringement of the privacy of data subjects without unnecessary delay to the data protection authority.
  • If there is a serious risk of damage, the data subjects will also have to be informed.

If you want to educate your team and protect your business from any potential fines, take our GDPR fundamentals course. Employees who pass this 45-minute online course will be issued a certificate of completion. You can be assured that the course will provide your employees with all the tools necessary to navigate their workspace under GDPR.

Disclaimer: We take no responsibility for the advice provided. It is entirely your responsibility to be aware and fully compliant with regulations.