Part 7: Individual’s Rights

‘Accountability’ is one of the 7 Principles under the GDPR (General Data Protection Regulation). To ensure businesses comply with their accountability obligations, the ICO has now created a framework that breaks down the key elements of accountability in data protection.

As part of an ongoing series of blogs, CVG Solutions will be guiding you through the ICO’s 10 framework categories, taking a closer look at the importance of each aspect and how to adhere to them.

 

Part 7: INDIVIDUAL’S RIGHTS

 

Respecting the rights of individuals isn’t just good practice, it will also facilitate your organisations’ compliance with the other six key principles of the GDPR. It is vital that everyone in your organisation is aware of all up-to-date policies and procedures and how to comply with them. Implementing good data protection compliance can also benefit your organisation, as it enhances your reputation and can even provide you with a competitive edge by instilling confidence and trust in the people whose personal data you handle.

In short: always be respectful to the individuals whose data you’re protecting or handling. Keep them informed and make sure your policies and procedures can deal with requests quickly and efficiently and that they are regularly reviewed and updated.

There’s a lot of information in terms of complying with the ICO’s framework stipulations for individual’s rights, so it is broken down into 11 separate sections:

1. Informing individuals and identifying requests
   Individuals must be informed of their rights and how to exercise them, so clear policies and procedures must be in place for dealing with data subjects’ requests. All staff need to be able to recognise both verbal and written requests and will require training on how and where to send them.
2. Resources
   Appropriate resources need to be in place to effectively handle requests from individuals about their data. The responsibility for handling these requests should be allocated to an individual or a team. Regular refresher training should be implemented to staff so your organisation can handle any increase in requests or the temporary absence of certain staff.
3. Logging and tracking requests
   All verbal or written requests from individuals must be logged accurately and updated at each stage of handling a request. You should also keep a record of your organisation’s responses to each request.
4. Timely responses
   All requests from individuals should be dealt with promptly, per client expectation and within statutory timescales. If an extension is required, then the individual should be informed. If a request is refused, then be sure to keep a record of the reason for refusal.
5. Monitoring and evaluating performance
   Your organisation should monitor staff handling of requests and produce reports to ensure requests are handled appropriately and to help improve the process. The staff dealing with the requests should meet regularly to share and discuss any issues that arise.
6. Inaccurate or incomplete information
   Appropriate systems and procedures should be in place to correct inaccurate information or add missing information to incomplete records. Proportionate and reasonable steps should be taken to assess the accuracy of stored personal data. If they request it, individuals must be informed about which third parties have received their personal data. These third parties should always be informed of rectifications.
7. Erasure
   Suitable procedures should be in place to erase personal data from both backup and live systems. If any personal data is shared with third parties, they should be made aware of any erasure. If personal data has been made public by being displayed or placed online, immediately inform any other controllers who might process the data to delete any links to or copies of the data.
8. Restriction
   Suitable procedures must be in place to restrict the processing of personal data if required.
9. Data portability
   Individuals need to be able to securely and easily move, copy or transfer their personal data from your organisation to another without affecting the data in any way. All data must therefore be provided in a structured, commonly used and machine-readable format. Where possible, information should be directly transmitted to another organisation.
10. Rights relating to automated decision making and profiling
    Individual rights related to automated decision-making and profiling must be protected. This is particularly important where the processing is solely automated with legal or other significant effects.
    Be sure that the minimum data required is collected and that there is clear retention. Additional checks must be completed for automated decision making and profiling should be performed on vulnerable groups, such as children. Processing must comply with Article 22 if using solely automated decisions that have significant effects on individuals.
11. Individual complaints
    Individuals should be made aware of their right to complain in a clear way, such as through a complaints page or section on your website. Complaints procedures must be implemented and privacy notices used to inform individuals of their right to complain. The DPO’s contact details should be published and clearly visible.

For any changes to data protection and transferring policies as a result of Brexit, or for a full breakdown of what privacy information includes, get in touch with CVG Solutions and we can help guide you through everything you need to know and ensure you meet all the requirements laid out by the ICO.

Check back for monthly updates and information regarding the ICO Accountability Framework. In May, we’ll be taking a closer look at Records of Processing and Lawful Basis. You can also read our other blogs in the series on:

Leadership & Oversight (Part 1) 

Training & Awareness (Part 2)

Transparency (Part 3)

Contracts and Data Sharing (Part 4)

Records Management & Security (Part 5)

Policies & Procedures (PART 6)

 

If you require any further help, guidance, information or clarification, you can contact CVG Solutions at info@cvgsolutions.co.uk, or call us on 01775 660-506. Additionally, you can fill out a digital self-assessment form on the ICO website.

CVG Membership

As a brand new addition to CVG Solutions, we launched a membership option last year. Sign up for announcements and updates as they happen, so you don’t miss out on future entries of our Guide to the ICO Accountability Framework blog series.  Simply email us at info@cvgsolutions.co.uk and ask to be added to our mailing list.

 

Individual’s Rights Checklist

Not entirely sure whether your organisation is complying with the regulations laid out by the ICO? No problem, just use this checklist to see where you might be going wrong:

• Do all staff understand how to recognise a request and where to send them?
• Would individuals say that you provided useful materials to help them to exercise their rights?
• Are staff aware of their key responsibilities and how to deliver them in practice?
• Would your staff say that you have appropriate resources to deal with the volume of requests?
• In the case of staff absences, could key tasks in the request process be covered by more than one individual?
• Could you locate relevant records easily?
• Are the records correct?
• Would a small sample of requests show that your staff follow the policies and procedures?
• Would staff say that the process in place to deal with issues is regular and effective?
• Would requesters say they were kept well-informed about the progress of their request?
• Did requesters receive clear information?
• Are the management reports easy to understand?
• Does senior management know about current performance?
• Are the actions clear and are they followed up?
• Would staff say there are effective processes in place to rectify inaccurate or incomplete personal data?
• Would requesters say they were given clear information about the steps you took?
• Would staff say you have effective processes in place to restrict personal data?
• Would staff say there are effective processes in place to erase personal data?
• Would staff say you have effective data portability processes in place?
• Would requesters say you gave them clear information?
• Do staff and customers find your retention policy clear?
• Do staff say you have effective processes to protect rights relating to automated decision-making and profiling?
• Would individuals say you made it easy to request human intervention, express their opinion and challenge a decision?
• Would complainants say that they were clear about how to make complaints and how it would be handled?

About the Author

Cristina is recognized as a leader in the GDPR industry and has 25+ years of experience working for large international corporations. During this time Cristina has acquired an extensive knowledge and practical application of data protection, risk management and compliance.   Cristina uses all of her expertise in helping her clients of all sizes to improve their understanding of the GDPD, how it can strengthen their brand, and how it can support them to drive business growth.  Cristina is the creator of the ‘GDPR 3 Stages Maturity Lifecycle’ and of the ‘GDPR Toolkit’.  Click here to know more.