Under the GDPR, individuals have increased rights to manage the information which data controllers and data processors hold about them. Amongst others, these rights include:
- the right of access;
- the right of rectification;
- the right of erasure; and
- the right to data portability.
In order to satisfy any such requests, businesses need to know where and how individuals’ data is stored, must have the tools to recover any data that has been shared and must be able to amend, delete, or share the data as required.
For example, the right of rectification allows individuals to require that personal data held about them is corrected if it is inaccurate or incomplete. If such a request is made, a business must be able to make the necessary changes to all data it holds about the individual and must ensure that anyone it has shared the data with does the same.
Similarly, the right to data portability means an individual has the right to require that his or her personal data is moved, copied or transferred from one service provider to another. If a customer asks a business to transfer his or her personal data to another provider, the business must be able to collate all the information it holds about that customer, including information which has been shared with others, and must be able to transfer this to the other provider free of charge within a month.
