The GDPR Bill of Rights

This is our third (and final) post covering GDPR. Catch up on our first and second installments.

Made up of 11 chapters containing 99 articles, the new GDPR legislation is a behemoth. Nestled within the dozens of pages of legal jargon, however, is an all important chapter covering data subject rights.

According to Chapter 3 of the GDPR, the data subject (a.k.a. anyone who’s data is handled by your company) has 7 explicit rights they can exercise to protect their personal information. To get a better sense of why this legislation came to pass, it’s important to understand what these rights mean.

Last week, we covered the right to access personal data, helping companies accelerate their path to compliance.

Today we take a closer look at the remaining six data subject rights:

• Right of rectification
• Right to be forgotten
• Right to restrict processing
• Right of data portability
• Right to object
• Right to be removed from automated decision making

Right of rectification

The right to rectify personal information is second on the GDPR Bill of Rights. It affirms that the accuracy of your personal data is always in your control, ensuring you can contact a company in order to correct or update your information.

Right to be forgotten

Have you ever tried to delete an online account for a service you never used, only to be hit with more spam from that same company? Same.

The good news is that the GDPR looks to kabash those never-ending annoyances. The new rules give great detail around what measures a company must take to delete a user’s personal data.

More important, the obligation to delete extends to third party affiliates as well. So if you’ve used your Facebook account to log into another app, Facebook is required to ensure the deletion of your data across all third party applications, should you choose to delete your Facebook account.

Right to restrict processing

One thing everybody hates is having to give away unnecessary information when signing up for an app or service. Article 18 of the GDPR looks to address that.

It states that any individual can stop companies from processing their data when it is no longer necessary in regards to the original user request. User’s can also restrict the processing of their data when the information is no longer accurate.

Right to data portability

It’s hard to picture what your data actually looks like. If you’re imagining something from the matrix, you’re not far off.

According to the GDPR, companies have to deliver data to requesting users in a machine readable format, a.k.a. a clunky, but standardized, spreadsheet. It might not be pretty, but this requirement ensures your data can be transferred to another, potentially competing, service if need be.

Right to object

Unsubscribing from email blasts is hard enough, but what about all the data processing that goes on in the background?

Under Article 21 of the GDPR, the data subject has the right to stop the unnecessary processing of their data, including direct marketing. Fingers crossed this means a stop to junk mail.

Right to be removed from automated decision making

Profiling can be a big issue when it comes to data processing. If you’ve applied for a credit card or personal loan, you’ve probably noticed that sometimes your application is approved (or denied) in seconds.

This is because more and more companies are using automated processes to approve or deny applicants based on the data they provide. Under the GDPR, applicants are given the right to avoid any automated bias by requesting a personal review of their application.

We believe understanding the ins and outs of the GDPR is critical in setting up your business for future success. More than additional work streams, the GDPR is a fundamental shift in how governments are protecting their citizens’ online data.

Companies who promote these rights have the opportunity to strengthen the bonds between users, customers and employees alike.

Learn more about how Truework promotes transparency by changing the way sensitive financial information is shared.

This is part 3 of 3 in our series on GDPR. Read part 1 here. Read part 2 here