GDPR has been in place now for just over six months, and with two years to prepare for the regulation coming into force, many would argue that businesses had plenty of time to put measures in place. However, with new research by Deloitte showing that a third of businesses are taking longer than the required 30 days period to respond to customer data requests, it is clear that GDPR is an ongoing process. Our recent blog post on our ISO 27001 re-accreditation explains how we use this to help us with our GDPR compliance, but we thought it would be worth taking a more in-depth look at how to deal with customer data.
1. The right to be informed
This a key transparency requirement under GDPR and essentially means that the customer has the right to be told how their data is being processed and why. When you ask for their consent to process their data, you need to clearly state what will happen to it. The customer retains the right to be informed after the initial consent has been granted, so if they want to know and ask, you should be able to tell them how their personal data is being used at any point during the process.
2. The rights of access, rectification and erasure
3. The right to restrict processing
Right no 3 is slightly different in that an individual does have the right to request the restriction of processing of their data, but this is only applicable in certain circumstances. This could be because of the content of the data held, or the processing and can be an alternative to requesting erasure, but the restriction cannot be in place indefinitely.
4.The right to data portability
Data portability is new to the GDPR, in that it is not covered in the previous Data Protection Directive and it basically means that if an individual requests their data, this data must be supplied to them in a commonly used format that can be transferred between controllers and allow the individual further use of the data.
5. The right to object
An individual also has the right to object to how their data is being used. Unless the controller can demonstrate compelling and legal reasons for continuing to use the data, they will be in breach of GDPR. If we take the example of direct marketing, when an individual has previously given their consent for their data to be used but then objects, the organisation needs to stop processing the data. We hope you’ve found this information useful. If you need any further assistance with GDPR compliance, head over to our GDPR Consultancy page to see how we can help.