GDPR has been in place now for just over six months, and with two years to prepare for the regulation coming into force, many would argue that businesses had plenty of time to put measures in place. However, with new research by Deloitte showing that a third of businesses are taking longer than the required 30 days period to respond to customer data requests, it is clear that GDPR is an ongoing process. Our recent blog post on our ISO 27001 re-accreditation explains how we use this to help us with our GDPR compliance, but we thought it would be worth taking a more in-depth look at how to deal with customer data.

1.The right to be informed

This a key transparency requirement under GDPR and essentially means that the customer has the right to be told how their data is being processed and why. When you ask for their consent to process their data, you need to clearly state what will happen to it. The customer retains the right to be informed after the initial consent has been granted, so if they want to know and ask, you should be able to tell them how their personal data is being used at any point during the process.

2. The rights of access, rectification and erasure

This can also be referred to as Subject Access and individuals who want to find out what has happened to their data can submit a request either verbally or in writing. The requests are for one of three reasons; confirmation that you are processing their data; a copy of the data that you hold and a request for supplementary data (this should be outlined in your privacy policy) along with the right to request that data be amended or deleted. A company then has 30 days to reply and it is this timescale that many businesses are failing to meet.

3. The right to restrict processing

Right no 3 is slightly different in that an individual does have the right to request the restriction of processing of their data, but this is only applicable in certain circumstances. This could be because of the content of the data held, or the processing and can be an alternative to requesting erasure, but the restriction cannot be in place indefinitely.

4.The right to data portability

Data portability is new to the GDPR, in that it is not covered in the previous Data Protection Directive and it basically means that if an individual requests their data, this data must be supplied to them in a commonly used format that can be transferred between controllers and allow the individual further use of the data.

5. The right to object

An individual also has the right to object to how their data is being used. Unless the controller can demonstrate compelling and legal reasons for continuing to use the data, they will be in breach of GDPR. If we take the example of direct marketing, when an individual has previously given their consent for their data to be used but then objects, the organisation needs to stop processing the data.

We hope you’ve found this information useful. If you need any further assistance with GDPR, head over to our GDPR page to see how we can help.