For organizations subject to the GDPR, there are two broad categories of compliance you need to understand: data protection and data privacy. Data protection means keeping data safe from unauthorized access. Data privacy means empowering your users to make their own decisions about who can process their data and for what purpose.
Chapter 3 of the GDPR lays out the data privacy rights and principles that all “natural persons” are guaranteed under EU law. As an organization, you are obligated to facilitate these rights. Failure to do so can result in penalties (see “ GDPR fines”). Here’s a very basic summary of each of the articles under Chapter 3.
You have to explain how you process data in “a concise, transparent, intelligible and easily accessible form, using clear and plain language” (see “ privacy notice”). You must also make it easy for people to make requests to you (e.g., a right to erasure request, etc.) and respond to those requests quickly and adequately.
At the moment you collect personal data from a user, you need to communicate specific information to them. If you don’t collect the information directly from the user, you are still required to provide them with similar information. These articles list the exact information you have to provide.
Data subjects have the right to know certain information about the processing activities of a data controller. This information includes the source of their personal data, the purpose of processing, and the length of time the data will be held, among other items. Most importantly, they have a right to be provided with the personal data of theirs that you’re processing.
The accuracy of the data you process is only tangentially an aspect of data privacy, but people have a right to correct inaccurate or incomplete personal data that you are processing.
Also known as the “ right to be forgotten,” data subjects have the right to request that you delete any information about them that you have. There are five exemptions to this right, including when processing their data is necessary to exercise your right to freedom of expression. You must make it simple for data subjects to file right to erasure requests. You can find a template for such requests here.
Short of asking you to erase their data, data subjects can request that you temporarily change the way you process their data ( such as removing it temporarily from your website) if they believe the information is inaccurate, is being used illegally, or is no longer needed by the controller for the purposes claimed. The data subject has the right to simply object to your processing of their data as well. Also important to note: If you decide to take any action related to Articles 16, 17, or 18, then Article 19 requires you to notify the data subject.
As you can see, the data privacy principles of the GDPR are fairly straightforward. The law asks you to make a good faith effort to give people the means to control how their data is used and who has access to it. To facilitate this, you must transparently and openly provide them with the information they need to understand how their data is collected and used. And you have to make it simple for your customers and users to exercise the various rights (of access, of erasure, etc.) contained in Chapter 3.
Check out our GDPR compliance checklist, which is another resource to ensure your organization is meeting the standards set out in the GDPR.