With less than eight months until the General Data Protection Regulation takes effect, we’re gearing our readers up for the changes with a series of blog posts exploring details of the new law. So far we’ve covered what GDPR is
and why it’s important, consequences if you’re not compliant
, and the top three changes to expect
under the new law. This time, we’re going to delve into rights of the data subjects and how they’ll be protected under GDPR.
There are six new sections added to the regulation regarding the rights of data subjects:
- Breach Notification
If a data breach occurs once GDPR takes effect, there will be no room for hesitation when it comes to notifying those involved. If the breach is “likely to result in a risk for the rights and freedoms of individuals,” then it will be mandatory to inform those affected within 72 hours of acknowledging the breach. Those in charge of the data will need to notify their customers and the controllers “without undue delay”.
- Right to Access
If you’ve ever wondered what personal information of yours is being processed at any given time, then GDPR is sure to give you peace-of-mind. Under the new law, data subjects will enjoy “data transparency and empowerment” with the ability to request, free of charge, a summary of places their personal information is being processed. This puts control back in the data subject’s hands and allows them the opportunity to adjust and make safer decisions.
- Right to be Forgotten
That leads us to the next addition – the right to be forgotten, which is also known as Data Erasure. If the conditions are right, data subjects have the right to request the following:
- Erase personal data in controllers
- Stop further spread of the information
- Possibly stop third parties from processing the data
As we mentioned above, there are specific conditions that must apply before qualifying for these options. Subjects will have to prove their data is being used for purposes other than the original intent. However, the key is that data subjects have more control over the unapproved spread of their personal information under GDPR.
- Data Portability
As the name suggests, this regulation will allow data subjects to receive and transmit their personal information across controllers without question or concern.
- Privacy by Design
The idea of privacy by design has been around for a while now, but it’ll officially be a part of the GDPR come May 2018. This concept requires data protection to be integrated into all controllers and data systems for the beginning versus being added afterwards. This will improve the overall design and function of the controllers only processing what’s necessary and limiting access to the personal information involved.
- Data Protection Officers
GDPR is designed to bring data protection up-to-speed with the technologically advanced times, and part of that means making data processing easier and more uniform across state borders. There will be new internal record keeping requirements put into place, and Data Protection Officers will be required if the information being processed involves a criminal conviction or offense. For more information on Data Protection Officers, visit the GDPR website
In our next blog post, we’ll provide a summary of how the new law will affect companies in the U.S., and what they can do to prepare.