In summary, an individual has the right to:
- Be informed. You need to provide them with processing information, typically through a concise and plainly-written privacy notice that makes it clear how you use their personal data.
- Access. Individuals can ask you to confirm you are using their data, and access that data. You can no longer charge for this and there are rules about turnaround times.
- Rectification. You can be asked to correct information that is inaccurate or incomplete, and must, where possible, inform any third parties that you have passed the information to.
- Erasure (to be forgotten). Essentially, this means you need to delete personal data if asked to if there is no compelling reason to keep it.
- Restrict processing. Individuals can suppress or block data processing. Practically, this means you can store the data but not perform any further processing.
- Data portability. An individual could ask to obtain and reuse their own personal data elsewhere – for example by inputting it into other applications or services.
- Object. This applies where a person’s data is being used for profiling, for direct marketing (this one is particularly relevant in the print industry) or for scientific or historical research.
- Question decisions taken without human intervention. If any of your processing is based on automated decision making, ensure that you have procedures in place to deal with decisions made that might be damaging in some way to an individual.