What are my data protection rights under GDPR?
Under GDPR, a company may process and store an individual’s data, but under GDPR the ownership of that data is retained by the individual, whether they are a customer, employee, third party, outsource supplier or whatever.
The data they hold must be accurate and protected against hackers and misuse. If it is wrong then they must either delete it or amend it and they can only hold the minimum of data necessary for the minimum amount of time.
If you have consented to them having or using your data, you can withdraw your consent at any time and they must stop using it immediately.
What does it mean for me?
Basically it means that you have lot more rights and control over who uses your data and who benefits from its use.
Anyone who has your data has 28 days to justify holding it, must delete it if they should not have it, or must amend it if it is wrong. You also have the right to object to them processing it and using automated decision making tools such as credit scoring and marketing profiling on you etc.
What are my specific rights under GDPR?
Under GDPR you will have a raft of new and extraordinary rights. You control your data and not the company which is processing it. You will have:
The right to be informed
Anyone holding your data must fully disclose in their privacy policies, why they have your data, what do they do with it, where does it go, and give you the chance to object or request more information from them.
The right of access aka "Subject Access Request"
Under this right you can ask any organisation what data they hold on you (or you think may hold data on you) and they have to supply you in electronic or paper formats, full transcripts of all structured or unstructured data including, system databases, photos, CCTV images, audio recordings, emails, paper records, anything in any format and they have to do this for free and within 28 days of your request.
The right to rectification
Under this right, if you think the data a company holds on you is incorrect then if you can prove it is incorrect then they have to change it and ensure all third parties which may have received this incorrect information from them, correct their records a well.
This can range from address information which is pretty standard to matters of opinion as well as fact and transactional data as well.
The right to erasure
This is also known as the right to be forgotten. Basically, not only do companies have to amend any incorrect data they have on you, you can also insist they delete it as well.
If they have captured data illegally or acquired it without your full knowledge or cannot justify how or why they have the data they have on you, then once you know what they have on you, you can exercise your right for deletion.
The right to restrict processing
With this right, if a company has not got your explicit permission to use your data, for example, email marketing, then you can just tell them to stop. Again this depends on knowing what data they have on you and what permissions they have to use this data.
The right to data portability
With this right, you can ask any company which holds your data to give you a complete copy of what they have on you in an electronic format so that you can give it to anyone else. And yes, this includes a full breakdown of your complete Facebook history.
The right to object to processing
This is a similar right to restriction but this one basically means you can tell a company to stop processing you full stop. Your right depends on why they have your data and what they do with it but with this right, if they are doing things they should not be doing, they simply have to stop processing you totally.
Rights related to profiling and automated decision making
With this right, if a company is using automatic profiling and decision making (which almost all companies are doing these days), then once you know what they are doing, whether it is credit checking or marketing you with special offers, or even stopping you applying for jobs, you can apply this right and ask them to review your applications manually. If they do not, then they are in breach and are liable for fines.