As summarised from ICO guidance:
Other than knowing this, it would seem that the rules around data marketing have not changed much so if you were doing it right in the first place, you don’t have too much to worry about in the grand scheme of things!
HOWEVER IMPORTANT: GDPR (replacing the DPA) and the new Electronic Privacy Regulation (ePR) (which will replace The Privacy and Electronic Communications Regulations (PECR)) are brothers. This only deals with the former (which is about privacy and the collection and processing of personal data including the rights of data subjects) BUT DON’T FORGET ABOUT the latter which is equally as important and which deals with the specific rules on:
- marketing calls, emails, texts and faxes;
- cookies (and similar technologies);
- keeping communications services secure; and
- customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.
|What are your rights as a Data Subject?||How do we (the business) honour your right?|
|The right to be informed||We must provide ‘fair processing information’, typically through a privacy statement such as this describing how and why we collect and use your Personal Data.
Read more guidance from the ICO on what information we should supply you and when you should be informed (which shall differ depending on whether or not we obtained the Personal Data directly from you or a third party.
|The right of access||We try to be as open and transparent as We can be in terms of giving people access to their Personal Data. You are entitled to be aware of and be able to check the lawfulness of any processing of Your Personal Data. You can find out if We hold (and process) any Personal Data by making a ‘Subject Access Request’ under the Data Protection Act 1998/ EU data protection regulation 2016/679. If We do hold Personal Data about You, We will let You have a copy of that Personal Data. To make a request to access Your Personal Data that We may hold, You need to put the request in writing addressing it to the postal address provided below. Will action Your request without delay and at the latest within one month of Your request subject to any extensions granted.|
|The right of rectification||You are entitled to have Your Personal Data rectified if it is inaccurate or incomplete. If We have disclosed this to third parties, We will inform You. We have one month initially to rectify subject to possible extension. Where We decide not to rectify, We shall inform You of Your further rights.|
|The right of erasure||You have a legal and personal “right of erasure” which is also known as the “right to be forgotten”. Upon Your request, We will close Your Account and remove Your Personal Data as soon as reasonably possible from all of our records unless a lawful reason exists for Us to retain some or all of it.|
|The right to restrict processing||You have a right to ‘block’ or ‘suppress’ the processing of your Personal Data under certain circumstances but We are still entitled to store just enough of Your Personal Data to ensure that the restriction is respected in future.|
|The right to data portability||
Read more guidance from the ICO.
|The right to object||You are entitled to obtain (in a commonly used and machine readable form) and reuse Your Personal Data that You have provided to us (via consent or contract performance) and which We process by automated means for Your own purposes across different services and free of charge. We must respond to a request without undue delay, and within one month whether or not We decide to action Your request. Where We decide not to, We shall inform You of Your further rights.|
|Rights related to automated decision making and profiling||Subject to any GDPR exceptions, We should not take a potentially damaging decision concerning you as a result of using automated processing operations without human intervention. We must ensure that you have the opportunity to: obtain human intervention; express your point of view; and obtain an explanation of the decision and challenge it.
The GDPR defines profiling as any form of automated processing intended to evaluate certain personal aspects of an individual, in particular to analyse or predict e.g. their performance at work; health; personal preferences; behaviour; or, location. When processing personal data for profiling purposes, we must ensure that the processing:
Tel: 0800 6894168