Data subjects could include employees, customers or even potential customers if your business collects prospective leads. Under new GDPR regulations data subjects have the following rights:
- The right to be informed;
- The right of access;
- The right to rectification;
- The right to erasure (the right to be forgotten);
- The right to restrict processing;
- The right to data portability;
- The right to object;
- Rights in relation to automated decision making and profiling.
In terms of the HR function there are three rights that are most pertinent:
The right of access
Under DPA data subjects (including employees) could request access to any data held on them through a ‘subject access request’. This will remain the same under GDPR with a few amendments.
Previously companies could charge a £10 fee to access data and any request must have been completed within 40 days (unless an exemption applied). With GDPR data information will have to be provided as soon as possible and within one month at the latest (this can be extended by a further two months where request are complex or numerous). Employers will also not be able to charge any fee unless the request is ‘manifestly unfounded or excessive, particularly if it is repetitive’.
When a subject access request is made the following information needs to be produced:
- A description of the personal data, the purpose for which it is processed, recipients, retention period and rights of rectification, erasure, restriction, and objections.
- A copy of the information comprising the data.
- Details of the source of the data.
The right to rectification
“Individuals are entitled to have inaccurate data rectified without undue delay”. The Information Commissioner’s Office (ICO), the authority responsible for compliance, has stated that these amends should occur within one month of a request being made, or two if this request is complex in nature.
If no action is taken within this time employers must explain the reasons why and inform the individual of their right to complain and to a judicial remedy.
The right to erasure (‘the right to be forgotten’)
This gives individuals the right to request that personal data be deleted or removed when there is no compelling reason for its continued processing.
The right to erasure does not provide an absolute ‘right to be forgotten’ and can occur where, for example:
- The personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- The individual withdraws consent.
Under the DPA, the right to erasure was limited to processing that causes unwarranted and substantial damage or distress. Under the GDPR, this threshold is not present. However, if the processing does cause damage or distress, this is likely to make the case for erasure even stronger.
The issue of consent
Data controllers must obtain consent from the data subject in order to process their data, except unless there is a lawful basis not to do so.
This consent has to be a “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
When obtaining consent, certain pieces of information will need to be included:
- The identity of the data controller;
- What the data is processed for (some processes will require their own specific consent);
- How the data is processed;
- The right to withdraw consent at any time.
The Information Commissioner is currently creating guidance to assist data controllers with how to obtain consent, however, this has not yet been finalised.