You’re a data controller, or perhaps a data processor. If you had your own DPO it would be part of their job to help you to uphold the rights of your data subjects. The people whose personal data you are using.
It’s only a part of the DPO job to advise you as a data controller. It’s up to you as a data controller to choose how you plan to uphold those rights.
Just so you’re clear, the rights of the data subject are:
- The right to be informed (about what you want to do with their personal data, so they can make an informed choice about whether or not to let you use it).
- The right of access (to ask you if you are holding any personal data about them and if so, what it is).
- The right to rectification (if the personal data you hold contains errors, they have the right to have them corrected).
- The right to erasure (otherwise known as “the right to be forgotten”, this is not an absolute right, so it is worth knowing exactly what might be involved).
- The right to restrict processing (they can make you stop processing their personal data and you need to make sure it happens).
- The right to data portability (they can ask for a copy of their personal data in a structured, commonly used and machine readable format).
- The right to object (the right to object to how you process their personal data).
- Rights in relation to automated processing, including profiling (again this one can get complicated if it applies to you).
Upholding data subject rights is not a time for busking it. If you don’t know the tune it’s really hard to hum along with it.