So far in our recap of roles and responsibilities ahead of next year’s implementation of the GDPR, we’ve covered the definitions of data controllers and data processors. Cultural organisations will fall into both categories.
But what about the people that the GDPR is all about – the data subjects?
The data subject is the person whose personal data you hold. So for example, if you store personal information about the people who attend your exhibitions, they are your data subjects. As private individuals, we are all data subjects. Personal data is information that relates directly to a data subject: like their name, address, phone number, email address, credit card number, etc.
Data subjects rights under GDPR are:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights related to automated decision making and profiling
We looked at data subjects’ new rights under GDPR in an article earlier this year, which gives an indication of what these rights will mean in practice.
In the next section, we introduce ‘anonymisation‘ of people’s data, which is a crucial issue for cultural organisations.