Under UK GDPR, not only do businesses have to respect the seven principles, but everyone in the UK has rights concerning their data, which businesses must respect. For the next eight weeks, we’ll be going through each of these rights in further detail.

The first is the right to be informed. Covering some of the key transparency requirements of the UK GDPR, it is about providing individuals with clear and concise information about what organisations do with their personal data.

The second is the right of access. Also known as subject access, this gives individuals the right to obtain a copy of their personal data, as well as other supplementary information. This is often in the form of a Subject Access Request. It helps individuals to understand how and why organisations are using their data, and check they are doing it lawfully.

The third is the right to rectification. People have the right to have inaccurate personal data corrected or completed. If you’ve taken steps to cover the accuracy principle of the UK GDPR, then this shouldn’t come into play that often.

The fourth is the right to erasure. Also known as the right to be forgotten, people have the right to ask for their data to be erased under certain circumstances, and only applies to data held at the time the request is received.

The fifth is the right to restrict processing. Similar to the right to erasure, people have the right to ask for their data to only be processed in limited ways. Similarly, the request is only granted under certain circumstances, and people require a particular reason for wanting the restriction.

The sixth is the right to data portability. People may ask for the personal data they gave, and receive it in a structured, commonly used and machine readable format. They may also request a secondary controller to receive the information as well.

The seventh is the right to object. Similar to the rights of erasure and restriction, people can stop or prevent organisations from processing their data. The objection may apply to all their data, or a limited amount, but only applies under certain circumstances.

There is an eighth part, which may not always be relevant. Data subjects have rights in relation to automated decision making and profiling. Organisations cannot make solely automated decisions, including those based on profiling, that have a legal or similarly significant effect on individuals.

Make sure that your processing enables people to have full access to their rights, and if you have any questions about data protection, feel free to get in contact.