We already outlined the basics of the upcoming General Data Protection Regulation (GDPR) and why it will affect organisations globally and in Australia (click here for that blog post).
This time, we summarise the key changes/updates the regulation outlines in relation to data subjects rights – without all the fuss.
Data Subjects’ Rights
The GDPR has outlined 6 major changes/updates on data subject rights.
- Breach notification: Notifying data subjects when a breach occurs will become mandatory. Australians are already required by law under the newly implemented Notifiable Data Breaches Scheme to inform affected parties, as well as the commissioner, of any data breaches.
- Right to Access: Data subjects have the right to obtain information from a data controller as to whether their personal information is being used, and if so, for what purpose. They have to receive this information free of charge.
- Right to be forgotten: Data subjects have the right for a data controller to erase all their personal information. Conditions which need to be met for this are the data no longer being relevant to the original purpose, or the data subject withdrawing consent.
- Data Portability: Data subjects have the right to receive their personal data and transfer it to another data controller.
- Privacy by Design: Simply put, this rule outlines the requirement for inclusion of data protection from the beginning of designing a system, rather than afterwards.
- Data Protection Officers: Appointing a Data Protection Officer will only be required for controllers and processors whose activities consist of processing operations which require “regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.”
For more information on GDPR, head to the official European Commission site here. For Australian businesses, the OAIC has compiled a resource here.