What type of data rights are they talking about?
The GDPR requires all data controllers to uphold certain data rights. They are as follows:
- Data protection - individuals have the right to the protection of their personal data.
- Consent - where consent was previously given, an individual may withdraw that consent at any time.
- Complaints - an individual may lodge a complaint with a supervisory authority.
- Direct marketing - individuals have the right to object direct marketing.
- Automated decision making - subject to certain criteria, you cannot make decisions which impact individuals, where these decisions are made by computers alone, i.e. without human intervention.
- Access – An individual can request you provide them the personal data you hold on them.
- Rectification – An individual can request you correct any inaccurate personal data you hold on them.
- Portability – An individual can request you provide them the personal data you hold on them in a digital format they can use to transfer the data to another provider
- Objection – An individual can object to your use of their personal data and require your justification for using it.
- Restriction – An individual can ask that you do not use their personal data
- Erasure – An individual can ask that you delete any personal data you hold on them. This is the “right to be forgotten.”
Some of these rights already existed, but they are now supported by a regulation that makes them universal and enforceable across the EU. To guarantee these rights organisations will need to have a clear understanding of where personal data sits in their organisation and whether any of it is stored in 3rd party services. Without this understanding it will be extremely difficult to fulfil the right to be forgotten.
To ensure these data subject rights the GDPR requires clear and prompt notices to individuals of their rights whenever personal data is collected.
If the organisation is collecting data on children, collecting or using sensitive data or using automated decision making processes on the personal data they have collected then there are further obligations with which they have to comply.
In effect, you are now a custodian of the personal data you hold. You are accountable to the supervisory authorities and ultimately the individuals as to how you use their personal data.