If organizations want to process personal data, there are six legal grounds to do so: legitimate interest, consent, legal obligation, public interest, vital interest and contractual obligations.
‘Data subjects’, or those whose personal data is being processed, have the right to be informed that a company processes their data, the right to access it, the right to rectification, the right to erasure (i.e. the ‘right to be forgotten’), the right to restrict processing, the right to data portability, the right to object and the right to not be subject to automated decision-making, including profiling.
Quite challenging! How will you for example respond to the ‘Right to be forgotten’? You will have to ensure you have procedures to delete personal data because a customer for example doesn’t want to receive any mailings anymore. How will you guarantee you will never send a mailing to this person if you cannot keep personal data of the people who asked you to be forgotten?
The enforcement of individuals’ rights goes hand-in-hand with obligations for companies and organizations, including possible high fines. Companies and organizations must:
- define a data protection governance strategy covering clear roles and responsibilities, e.g. designation of a Data Protection Officer (DPO) if required by the GDPR, and people that follow up in case of data breach;
- take action to comply with the legal GDPR requirements, e.g. data processing agreements and transparency;
- support GDPR processes with appropriate policies, tools and systems, specifically those responding to data subjects exercising any or all of their rights;
- guarantee privacy by design and privacy by default;
- execute Data Protection Impact Assessments (DPIA) where mandatory;
- sufficiently invest in awareness and train employees on a new mindset, on new behaviors and responsibilities.