New data rights

Under existing laws, ‘data subjects’ (customers) have:

  • The right to object to processing for direct marketing
  • Right to be forgotten (e.g. Google’s online search results)
  • The right to make Subject Access Requests (SARs)

However, under GDPR legislation, customers will be able to still object to processing for direct marketing, but will also have:

  • A right to object to automated processing (profiling) for legitimate interests
  • The right to be forgotten becomes ‘the right to erasure’, which enables data customers to request personal data to be erased ‘without undue delay’
  • Subject Access Requests must now be free of charge
  • The right to rectification, allowing people to correct personal data about them that is inaccurate, and request the completion of incomplete data
  • The right ‘not to be subject to a decision’ when:
    • It is based on automated processing, and;
    • It produces a legal effect (or similarly significant effect) on them
  • The right to data portability, this is a new addition to the regulations and critics fear that it could lead to disproportionate compliance costs. It requires organisations to hand over personal data to a customer in a usable, transferable format for further use by the data subject. For example, if an individual wishes to switch between service providers.
    • One outcome of this may well be that a new sector of ‘data aggregation’ service providers comes into being. Imagine a proposition whereby all your credit card spending, loyalty rewards and personal expenditure data were aggregated and curated in a live dashboard for you to access and from which personalised ‘advice’ or guidance might be forthcoming. Add to this data from smart meters, online browsing and voice-activated personal assistants and it’s not hard to imagine a huge swathe or live customer data being transferred on a daily basis from multiple sources to a nominated ‘custodian’ of a consumer’s data.
    • It is this obligation to make data available and to transmit it that holds a significant degree of fear for those businesses that understand where the consumer democracy is ultimately heading.

What this all essentially boils down to is that organisations need to better understand what data they hold, why they hold it, how they have gained permission to hold it and whom they are sharing the information with.

They then need to ensure they are being upfront and transparent in effectively communicating this with customers, as well a giving individuals the opportunity to control their own data.


Our current ‘Ask the Experts’ GDPR report has been produced in partnership with one of our Group Companies Response One and one of our Partner organisations MyLife Digital.

To read the report in full, register here to receive your copy ‘Ask the Experts’ GDPR report

Talk to us if you want to learn more. 

Back to Insights

Bench Newsletter

Register here to receive the latest Newsletter