What Are Your GDPR Rights, and What Are the Penalties ?

Your Rights Under GDPR

GDPR Right #1 –You have the Right be informed:

  1. what data is being collected
  2. how it’s being used
  3. how long it will be kept and whether it will be shared with any third parties.
  4. This information must be communicated concisely and in plain language.

GDPR Rights #2 — You have the right to access:

  1. You can submit subject access requests, which oblige organisations to provide a copy of any personal data concerning you.
  2. Organisations have one month to produce this information
  3. You MUST be informed about hacked data within 3 days

Your GDPR Rights

GDPR Rights #3 — You have the right to rectification:

  1. If the individual discovers that the information an organisation holds on them is inaccurate or incomplete, they can request that it be updated.
  2. organisations have one month to do this

GDPR Rights #4 — Your have the  right to erasure (also known as ‘the right to be forgotten’):

  1. Individuals can request that organisations erase their data in certain circumstances, such as when the data is no longer necessary, the data was unlawfully processed or it no longer meets the lawful ground for which it was collected.
  2. This includes instances where the individual withdraws consent.

GDPR Rights #5 — The right to restrict processing

  1. You can request that organisations limit the way an organisation uses your data.

GDPR Rights #6 — The right to data portability

  1. You are permitted to obtain and reuse your personal data for your own purposes across different services.
  2. This right only applies to personal data that you have provided to data controllers by way of a contract or consent.

GDPR Rights #7 — The right to object

  1. You can object to the processing of personal data that is collected on the grounds of legitimate interests or the performance of a task in the interest/exercise of official authority.
  2. Organisations must stop processing information unless they can demonstrate compelling legitimate grounds for the processing that overrides the interests, rights and freedoms of the individual or if the processing is for the establishment or exercise of defense of legal claims.

GDPR Rights #8  — Rights around Automated Decision Making including Profiling

  1. The GDPR includes provisions for decisions made with no human involvement, such as profiling, which uses personal data to make calculated assumptions about individuals.
  2. There are strict rules about this kind of processing, and you are permitted to challenge and request a review of the processing if they believe the rules aren’t being followed.

What about UK Citizens ?

Regardless of what happens with Brexit, the UK has committed to following the GDPR Regulation.  So, the regulation will apply to UK citizens soon as well.  The Cambridge Analytica fiasco where users (and their friend’s) preferences were used by third party would be illegal under the GDPR Regulation without consent.


It remains to be seen how much the rest of the world will benefit from GDPR rules, but there are likely “some rights that companies couldn’t contain to Europeans even if they tried,” says Yana Welinder, a fellow at the Center for Internet and Society at Stanford Law School. “For example, companies will now have to notify a European agency if they had a personal data breach within 72 hours of a breach. If the breach exposes users to high risk, the company also needs to notify users directly.” Those kinds of rules could have spillover benefits to people outside of Europe, and could similarly influence how companies conduct business regardless of the country.