On a basic level, GDPR Article 16 provides data subjects with the ability to ‘rectify’ (modify) their personal data.
In terms of the organisation’s obligations, ‘rectification’ refers to an individual’s right to ensure that any data held on them is accurate, and any inaccuracies are dealt with accordingly.
As it deals with legal concepts, rather than any operational matter, Article 16 doesn’t feature within any ISO-related sub-clauses or controls.
Right to Rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement
Right to Rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement
Data held on a subject is a reflection of themselves as both a private an individual and a consumer.
Individuals place a great deal of importance in PII for a number of reasons, not least because of the role such data plays in informing the decisions of third party organisations (e.g. credit reference agencies, banks and government organisations) that have a direct impact on a person’s life.
As such, incorrect data can represent a severe risk that inhibits a person from enjoying the same freedoms and privileges that would occur if said data was 100% correct.
GDPR legislation stops short of offering a concrete description of what can be labelled as ‘inaccurate’, but in general, this means that the facts contained within a person’s data don’t conform with reality.
Incomplete personal data is a difficult concept to define. Data may be deemed ‘complete’ for one purpose, but ‘incomplete’ for an unrelated purpose. As such, organisations are only obliged to rectify data sets that are incomplete for their stated purpose.
Our pre-configured Records of Processing Activity tool makes it simple to record and review data, as well as add your organisation’s details. We provide easy to use templates for recording privacy and legitimate interest assessments.
It is essential to demonstrate how well you manage Data Subject Rights Requests (DRR). Our secure DRR space keeps everything in one place, providing automated reporting and insight.
Whether you’re prepared for the worst or not, we make it simple to plan, communicate, document, and learn from every incident. Find out more by booking a demo.
