3. Communicating Privacy Information
A key element to GDPR, as it was in the DPA, is transparency and providing accessible information about how you will use personal data. The most common practice is to provide a privacy notice, for which the requirement under GDPR is extended over the DPA.
4. Individual’s Rights
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object
- the right not to be subject to automated decision-making including profiling.
5. Subject Access Requests
You will be required to respond to requests about the data that you hold within 1 month, such as what data and why you are holding it. You are not generally allowed to charge for access requests, however there are exceptions for requesting pay or refusing in extreme circumstances. If you have automatic processing of data, such as ratings, credit checks, etc, there is a separate set of rules.
6. Lawful Basis for Processing Personal Data
You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.