What you need to know.

The GDPR provides a number of rights to data subjects whose personal data is stored (your employees, customers,…). Most of these rights already exists today. The data subjects have, for instance, the right to obtain a copy of their data and they can have such data rectified. In certain circumstances, they can also request to completely erase their personal data (“right to be forgotten”).

The GDPR extends some of these existing rights, or clarifies them, and also introduces new rights. From 25 May 2018, for example, data subjects will have the right to have their data transferred to a third party, for example a competing supplier, in a reusable format.

It is important that data subjects are able to exercise these rights. The right to protection of personal data is a fundamental right (such as the right to privacy). The legislator therefore finds that data subjects must always have control over what happens to their personal data. Such control is (inter alia) given to them by the above mentioned rights. If they are unable to exercise these rights in practice, storing their personal data is prohibited.

Whenever a data subject exercises one of his/her rights, you must respond to this request within a period of one month. If this proves impossible, you must inform the data subject within this month that you are processing his/her request. Subsequently, you have two additional months to actually respond to the data subject’s request. In principle, you cannot ask the data subject for a remuneration and you cannot refuse the request (unless of course the conditions are not fulfilled).

What you need to do by 25 May 2018.

Is your company aware of all data subjects’ rights? Have you checked how requests of data subjects must be answered in practice? For example, when a customer requests a copy of his/her data, then you should precisely know in which databases/documents such data is stored and which data your company precisely holds about this customer. This seems easier in theory than it is in practice.

It will be necessary to examine for each processing activity how the various rights translate into practice. This requires the necessary knowledge about these rights. Subsequently, it is important that you implement internal procedures. Such internal procedures determine who is responsible for responding the employees’/customers’ requests. Do not forget to document these internal procedures!

The persons involved within your company must furthermore receive the necessary practical training. Are they aware that they have to answer within a month? Companies can of course decide to automatize this process through IT solutions. Remember to ask for the necessary identification of the person that has sent the request. If you work with an external call centre, you will also have to make the necessary arrangements with them. After all, their employees will also be confronted with this and will have to be able to react appropriately.