GDPR Compliance Journey - 11 Rights

Gydeline
17 May 201804:36

Summary

TLDRIn this informative video, Mike Savile discusses the pivotal aspect of GDPR focusing on individual rights concerning their data. He outlines a three-step approach: informing individuals of their rights, enabling them to exercise these rights through various communication channels, and establishing a support process to handle requests efficiently. The video emphasizes the importance of transparency and simplicity in privacy notices and the creation of a user-friendly subject access request form to facilitate compliance with GDPR regulations.

Takeaways

  • 📜 The General Data Protection Regulation (GDPR) is centered around giving individuals more rights regarding their data.
  • 🗣️ Mike Savile introduces the topic of individual rights under GDPR, emphasizing the importance of understanding and implementing these rights correctly.
  • 📝 The process of handling GDPR rights is broken down into three main steps: informing individuals of their rights, enabling them to exercise these rights, and having a support process for follow-up.
  • 👤 The privacy notice on the guideline website is designed to be clear and transparent, listing the rights individuals have in plain English.
  • 🔍 Individuals have the right to view the data held about them, request corrections, receive a copy, ask for deletion, object to data processing, and file complaints to supervisory authorities.
  • 📧 There are multiple avenues for individuals to exercise their rights, including email, postal mail, contact forms, and a dedicated subject access request form.
  • 📝 The subject access request form is a simplified method for individuals to specify their requests regarding information, such as obtaining a copy, requesting corrections, or deletion.
  • ⏱️ The guideline company commits to responding to information requests within 24 hours and aims to complete the entire request process within 7 days.
  • 📬 The support desk is equipped with processes to support the enablement of rights for individuals, ensuring a timely and appropriate response to requests.
  • 🔒 The company is careful to explain to individuals how their information will be used and the format in which they will receive the requested information, including the option for a hard copy.
  • 🔄 The video script concludes with a teaser for the next topic, which will be about data minimization, indicating a series of educational content on GDPR compliance.

Q & A

  • What is the main focus of the GDPR?

    -The main focus of the GDPR is to give individuals more rights regarding what is done with their personal data.

  • What are the three steps mentioned in the script for handling GDPR rights?

    -The three steps are: 1) Informing people about their rights, 2) Enabling them to exercise those rights, and 3) Having a process in place to support and follow-up on those requests.

  • How is the guideline privacy notice designed to be?

    -The guideline privacy notice is designed to be clear, simple, and transparent, using plain English instead of GDPR jargon.

  • What rights are listed in the guideline privacy notice?

    -The rights listed include the right to access, rectify, receive a copy of, delete, object to the processing of their data, and the right to complain to the supervisory authority.

  • What is the purpose of the subject access request form?

    -The subject access request form is designed to deal specifically with information requests, making it easy for individuals to specify their requests related to their data.

  • How can individuals contact the guideline to exercise their rights?

    -Individuals can contact the guideline by email, writing to the address provided on the website, using the contact form, or by phone.

  • What is the expected response time for initial contact regarding a data request?

    -The initial response is expected within 24 hours of receiving the request.

  • What is the target time frame for completing the whole information request process?

    -The ideal time frame for completing the whole information request process is within 7 days.

  • How is the format of the information provided to the individual specified in the script?

    -The format of the information provided is specified as being able to be sent via email, with the option for a hard copy if requested.

  • What support processes are in place to enable the rights of individuals?

    -The support desk processes are in place to support the enablement of rights for individuals, ensuring that requests are responded to in the right way.

  • What topic will be discussed in the next video of the series?

    -The next video will discuss the topic of data minimization.

Outlines

00:00

📜 Introduction to GDPR Rights

In this video script, Mike Savile introduces the concept of rights under the General Data Protection Regulation (GDPR), emphasizing the importance of understanding and implementing these rights to ensure compliance. The script outlines a three-step approach to handling GDPR rights: informing individuals about their rights, enabling them to exercise these rights, and establishing a process to support and follow up on requests related to these rights. The focus is on transparency and simplicity in communication, ensuring that individuals are aware of their rights regarding their data.

📝 Transparency in Privacy Notices

The script details the process of informing individuals about their GDPR rights through a clear and transparent privacy notice on the guideline website. The privacy notice lists the rights individuals have, such as accessing, correcting, receiving a copy of, deleting, and objecting to the processing of their data, as well as the right to complain to the supervisory authority. The language used is plain English to avoid confusion and to ensure that individuals who may not be familiar with GDPR terminology can understand their rights.

📧 Enabling Rights Through Various Channels

The script explains the various methods individuals can use to exercise their rights under GDPR, including emailing, writing, using a contact form, or phoning the company. A specific 'Subject Access Request' form is highlighted, which simplifies the process of making information requests. The form asks for the nature of the request, whether it's for obtaining a copy of information, correcting information, deleting information, or lodging a complaint, and provides a space for additional information. The script also mentions the company's commitment to responding to requests promptly, initially within 24 hours and ideally completing the request within 7 days.

🔍 Support Desk Processes for Rights Enforcement

The final part of the script discusses the support desk processes that back up the company's commitment to enabling and responding to individuals' rights under GDPR. It outlines how requests made through letters, emails, and contact forms are directed to the support desk, where they are handled in accordance with established processes. The script assures viewers that the company is dedicated to responding in the appropriate manner to ensure compliance with GDPR and to make the process of exercising rights as straightforward as possible for individuals.

Mindmap

Keywords

💡GDPR

GDPR stands for General Data Protection Regulation, which is a regulation in EU law that focuses on data protection and privacy for individuals within the European Union. It is the main theme of the video as it discusses the rights of individuals concerning their data and how organizations must comply with these regulations. The video script mentions GDPR as it outlines the steps organizations should take to inform individuals about their rights under this regulation.

💡Individuals' Rights

Individuals' Rights in the context of the video refers to the various rights granted to individuals under GDPR, such as the right to access, rectify, erase, restrict, or object to the processing of their personal data. The video emphasizes the importance of informing individuals about these rights and enabling them to exercise them, which is a key aspect of GDPR compliance.

💡Privacy Notice

A Privacy Notice is a document or section on a website that informs individuals about the organization's data processing activities. In the video, the privacy notice is highlighted as a method to communicate individuals' rights under GDPR. It is described as being clear, simple, and transparent, with the rights listed in plain English for easy understanding.

💡Data Portability

Data Portability is one of the rights under GDPR, allowing individuals to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit it to another data controller. The video script simplifies this technical term by avoiding its direct use and instead focuses on the practical aspect of providing individuals with a copy of their data.

💡Data Deletion

Data Deletion, also known as the 'right to be forgotten,' is a right under GDPR that allows individuals to request the deletion of their personal data from an organization's records. The video script mentions this right and describes the process by which individuals can request their data to be deleted.

💡Subject Access Request

A Subject Access Request (SAR) is a formal request made by an individual to a data controller to obtain information held about them. The video script details a form created for this purpose, allowing individuals to specify their requests related to their data, such as obtaining a copy, correcting, or deleting information.

💡Support Desk

The Support Desk in the video is the department or team that handles requests and inquiries from individuals regarding their data rights. It is part of the process to enable and support individuals in exercising their rights under GDPR, ensuring timely and appropriate responses to SARs and other data-related requests.

💡Data Minimization

Data Minimization is a principle of GDPR that requires organizations to collect and process only the minimum amount of personal data necessary to fulfill a specific purpose. Although not deeply discussed in the script, it is mentioned as a topic for a future discussion, indicating its importance in GDPR compliance.

💡Supervisory Authority

The Supervisory Authority is an independent public authority that monitors and enforces GDPR compliance. Individuals have the right to lodge a complaint with this authority if they believe their data rights have been violated. The video script mentions this right, emphasizing the avenues available to individuals for recourse.

💡Plain English

Plain English refers to the use of simple, clear, and easily understandable language, as opposed to technical or legal jargon. The video script emphasizes the use of plain English in the privacy notice to make the information about data rights accessible to individuals who may not be familiar with GDPR terminology.

💡Information Request

An Information Request in the context of the video is any request made by an individual to a data controller for access to or modification of their personal data. The script describes a specific form designed to handle such requests, aiming to streamline the process and ensure compliance with GDPR.

Highlights

Mike Savile introduces the topic of individual rights under the GDPR.

Emphasis on the importance of understanding and implementing individual rights correctly in GDPR.

Three-step approach to handling GDPR rights: informing, enabling, and supporting requests.

Privacy notice as a tool to inform individuals about their rights under GDPR.

Listing of rights in the privacy notice for transparency and clarity.

Use of plain English in the privacy notice to avoid confusion with GDPR jargon.

Description of the rights such as data correction, deletion, and objection.

Explanation of the process for individuals to exercise their rights, including email and postal contact.

Introduction of a subject access request form for handling information requests.

Details of the subject access request form, including its purpose and fields.

The process of responding to requests within 24 hours and aiming to complete within 7 days.

Format of the response and the option for individuals to request a hard copy.

Support desk processes that facilitate the enablement of rights for individuals.

Hope expressed that the information provided is useful for compliance with GDPR.

Preview of the next topic, data minimization, in the upcoming discussion.

Closing remarks encouraging simplicity in achieving GDPR compliance.

Transcripts

play00:00

[Music]

play00:04

hi I'm Mike Savile and welcome back to

play00:07

the guideline gdpr Jenni this time we're

play00:10

talking about rights now this is perhaps

play00:13

the key part of gdpr

play00:15

it's all about giving individuals more

play00:18

rights with what's done with their data

play00:20

so it's really important that we get it

play00:23

right now

play00:24

we're thinking of this in three steps

play00:27

really first step is you need to tell

play00:29

people about their rights the second

play00:32

step what do you need to enable people

play00:34

to exercise those rights and then

play00:37

finally you need to have a process in

play00:38

place to enable to support and follow-up

play00:42

those requests so let's start with

play00:45

telling people about their rights and

play00:48

let's take a look at the guideline

play00:50

privacy notice so here we are at the

play00:53

guideline privacy statement on our

play00:56

website and we've tried to keep this as

play00:58

clear and as simple and as Traut

play01:01

transparent as possible so if we scroll

play01:05

down to the section on rights we've

play01:09

listed the rights that people have so

play01:12

people can see what data we hold on them

play01:14

they can ask for it to be corrected they

play01:17

can receive a copy of the data they can

play01:19

ask us to delete it they can object to

play01:21

what we're doing with it and they can

play01:22

complain to the supervisory authority

play01:24

and we've tried to describe it in plain

play01:27

English rather than using the gdpr terms

play01:30

so if we were to tell people about the

play01:32

right to portability or the right to

play01:34

restriction then that's kind of

play01:37

difficult for people to understand who

play01:39

perhaps on aware of the gdpr

play01:42

so that's how we tell people about their

play01:45

rights the next step is enabling those

play01:48

rights so there are a number of routes

play01:50

that customers and individuals can take

play01:53

they can as it says here they can email

play01:56

privacy at guideline com they can write

play01:59

to us our addresses on every page of our

play02:01

website they can contact us via our

play02:04

contact form or they can phone us for

play02:06

our phone number but we've also set up a

play02:09

subject access request form

play02:13

and if we take a look at this this deals

play02:16

specifically with information requests

play02:19

and so we've created a simple form that

play02:23

asks the individual what the request is

play02:27

in relation to and is it for obtaining a

play02:30

copy of information is it for having

play02:33

information corrected is it for having

play02:35

information deleted or is it a complaint

play02:38

about our service and then finally any

play02:40

other requests that they have so they

play02:43

might choose to obtain a copy there's a

play02:46

space for them to enter any further

play02:50

information so I need information for a

play02:56

reference as an example they then into

play03:01

their name and their email and company

play03:09

and then we're very careful to explain

play03:13

to them as part of this process what

play03:16

we're going to use the information for

play03:19

how quickly we're going to respond to

play03:21

them so initially within 24 hours and

play03:24

then ideally completing the whole

play03:26

information request within 7 days and

play03:29

then the format we're gonna reply

play03:31

provide the information in and the fact

play03:34

that if they want they can write to us

play03:35

for a hard copy and then the individual

play03:38

can submit that request that request

play03:42

along with letters emails and contact

play03:47

forms go through to our support desk

play03:50

where we have support processes that

play03:54

support the enablement of rights for

play03:58

individuals so there you have it that's

play04:02

how we a guide line I've dealt with

play04:04

right so we tell people about them via

play04:07

our privacy notice we enable people to

play04:10

act on their rights by email or writing

play04:13

to us but really viral subject access

play04:16

request process and then we follow that

play04:18

up and back it up with support desk

play04:20

processes that enable us to respond in

play04:23

the right way

play04:24

so really hope you found that useful

play04:26

next time we're talking about data

play04:28

minimization but until then we hope you

play04:31

find your compliance simple

Browse More Related Video

GDPR Compliance Journey - 14 Process Documentation

How do I document data flow under GDPR?

GDPR Compliance Journey - 08 Privacy Notice

GDPR Compliance Journey - 10 Portability

GDPR Compliance Journey - 19 Review and Wrap up

Data Inventories and Data Maps: The Cornerstone to GDPR Compliance

Rate This

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
Related Tags
GDPR GuideData RightsPrivacy NoticeIndividual RightsData ProtectionCompliance TipsRequest ProcessSupport DeskData MinimizationRegulatory Compliance