This needs a bit of work but below are the circumstances that might occur.
What are the rights of individuals and how do they operate?
The right to be informed
Individuals continue to have a right to be given “fair processing information”, usually through a privacy/data protection notice. When we currently collect personal data, we have to give individuals certain information, such as your identity and how you intend to use their
information. This is usually done through a privacy/data protection notice. Under the GDPR there is additional information that you will need to supply. For instance, we will have to explain the lawful basis for the processing of their data; your data retention periods (how long
you keep it for); and that individuals have a right to complain to the ICO if they think that there is a problem in the way that you deal with their personal data.
The right to access (includes subject access requests)
Individuals have the right to be given confirmation that their data is being processed; access to their personal data and supplementary information, (i.e. information that is usually supplied in a privacy notice).
Subject Access Requests
The GDPR continues to allow individuals to access their personal data so that they are aware of and can check the lawfulness of the use and the accuracy of the data.
We will have 1 month from the receipt of the request to comply rather than the current 40 days. You will be able to refuse or charge a “reasonable fee” for requests that are manifestly unfounded, excessive or repetitive. If you do refuse a request you must tell the individual why and that he/she has the right to complain to the ICO or go to court.
The right to rectification (correction)
Individuals have the right to have their personal data corrected (rectified) if it is inaccurate or incomplete. If the data has already been given to third parties, we must tell those third parties of the correction. We must also tell the individuals about the third parties to whom the data has been given.
The right to erasure (also known as the right to be forgotten)
Individuals have the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing. This does not mean that a person can immediately request that his/her personal data is deleted. If the purposes for which the data was collected still exist, then a person will not be able to
request the deletion of that data, unless it was given by consent and they are withdrawing their consent. For instance, safeguarding information about an individual cannot be deleted if the retention is still necessary, reasonable and proportionate – e.g. to protect members of the public from significant harm. Another example is that some financial information, cannot be deleted immediately due to financial auditing regulations.
The right to restrict processing
Individuals have the right to restrict processing of their personal data in certain circumstances (for instance if a person believes his/her personal data is inaccurate or he/she objects to the processing). If processing is restricted, you can still store the data but cannot otherwise use the data.
The right to data portability
This is a new right introduced by the GDPR. Individuals have the right to obtain and reuse personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT system to another.
The right to object
Individuals have the right to object to processing in certain circumstances
The right not to be subject to automated decision-making including profiling The GDPR provides protection against the risk that a potentially damaging decision is taken without human intervention. This right is similar to that contained in the 1998 Act.