The GDPR gives new and enhanced Rights for the data subject; who can be generally defined as an organisation’s customers and employees. Given the attention that the GPDR has already generated, and because the Supervisory Authorities (the ICO in the UK) will probably give out more information to the public about their Rights post 25th May 2018, it is almost certain that dealing with this issue will become a major issue for organisations. If companies are not prepared to deal with each of the data subject’s Rights, then they will find that the administrative burden will be onerous and satisfying them in the time allowed will be difficult. Since the GDPR covers personal data contained within hard copy documents, as well as electronic records, this must be taken into account when mapping where personal data is stored; i.e. archived documents must also be included.
Article 12 lays out the information, communication and modalities to be followed when a data subject exercises his or her Rights. In summary it states that the Rights of the data subject should be provided free of charge, responded to within one month and, where possible, provided in a machine-readable electronic format. If the Data Controller (the company or organisation) cannot, or will not, respond within one month, then this may be extended by a further two months as long as the data subject is informed of this within one month and is given information about lodging a compliant with the Supervisory Authority, or seeking judicial remedy.
It should be noted by senior management teams that non-compliance with Articles 12 to 22, i.e. the Rights of the data subject, attract the higher tier of fines which may extend to 4% of turnover or €20million.
The Right to Access – Article 15
This will be the Right that will probably be one of the most frequently exercised. The data subject has the Right to discover if their personal data is being processed and if so may demand to receive all information that is being collected and processed about them; Article 15 details precisely what must be disclosed. This would include any notes, commentary about them, voice recordings, or segmentation activity undertaken on their personal data. It would also include emails and other letters. Examples where opinions may prove contentious, or even embarrassing, would be within interview notes and annual appraisals in an HR context, or notes on a CRM system and emails between customer service staff in a consumer context. Therefore care must be taken when recording the details of interactions on electronic systems, or when telephone calls are being recorded.
- Do you know where all personal data is stored, and can you retrieve it quickly? Records of Processing Activities will really help in this regard if you have undertaken this exercise.
- How will you transfer the data to the individual?
- Is there anything written down that you would rather he / she didn’t see?
Article 16 – Right to Rectification
This speaks directly to the principle of data accuracy. A data subject has the Right to rectify their personal data at any time. In the main this will be very simple changes, such as changes of address or telephone number. It is, of course, in the data controller’s interest to store accurate data, otherwise any communications and other interactions such as deliveries, would be wasted if the personal data was wrong or incomplete. An easy way to achieve this is to have an ‘account’ or ‘preference centre’ that the data subject can log into and correct their personal data, as well as updating their marketing preferences themselves. Many utility companies do this already.
- Do you have a customer account system on your website?
- Have you ever looked at your records to see if they are complete and / or accurate?
- Do you ever circle back to the source when you get ‘bounce-backs’ from email marketing messages?
Article 17 – Right to Erasure
This is one of the new Rights and is sometimes referred to as the Right to be Forgotten. This Article states that the data subject has the Right to have their personal data erased when the following applies:
- the personal data is no longer necessary in relation to the purposes for which it was collected;
- where the data subject withdraws consent and there are no other legal grounds for processing;
- where the processing is deemed to be unlawful, in compliance with a legal obligation; and
- where the personal data has been collected in relation to the offer of information society services to a minor.
However there are often occasions where other laws trump the Right to Erasure. For example, records of financial transactions must be kept for 6 years. There are also exceptions to the above where organisations must keep the personal data, but these are too numerous to list here. One of the anomalies of this is when a data subject chooses to have their personal data erased, a record should be kept on direct marketing lists so that the individual doesn’t reappear on these lists and is sent marketing materials inadvertently.
Companies must ensure that its HR and customer databases have the ability to delete data subjects, should the need arise. There are many systems that archive or obfuscate the record, without fully deleting it, which is what is required. Another issue here is that you will have to inform anyone that you send the personal data to, i.e. companies that process data on your behalf, of a data subject requesting erasure and so the processor should also delete the record, unless there are other grounds for retaining it. We predict that this will be the most contentious and difficult of the Rights to implement.
- Can you properly delete a record from your systems?
- Do you have a Retention Policy that you can refer to when you are unable to delete a record for legal reasons?
- Can you be sure that your processors will also delete a record on request?
Article 18 – Right to Restriction of Processing
This Right would normally be a temporary measure but is still as important nonetheless. The data subject would exercise this Right when the following applies:
- if they think their records are inaccurate and they want this corrected before any further processing is undertaken;
- if they think the processing is unlawful, but do not want their data erased;
- if the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; and
- if the data subject objects pending verification of whether the grounds of processing the personal data under legitimate interest is lawful.
The only activity allowed is the storage of the data, unless the data subject consents to another processing activity, and the data subject must be informed when the restriction is to be lifted. For some organisations being able to isolate one record may be technically difficult. Naturally if the records are up to date and the processing activity is lawful, then this Right will be rarely exercised.
- Can you isolate a record to ensure that it isn’t processed alongside others?
Article 19 – Notification obligation regarding rectification or erasure of personal data or restriction of processing
This Article states that the data controller must notify all recipients of the data subject’s personal data whenever a data subject requests for their personal data to be rectified, erased or restricted from processing. If the data subject asks who the recipients are, then this must be disclosed.
- Do your contracts with your data processors have clauses that specifically deal with the Rights of the data subject?
Article 20 – Right to Data Portability
This is a new Right and it means that a data subject can demand their personal data be transferred from one data controller to another. The best examples of this would be when switching from one retail bank to another, or changing energy supplier. The only data that needs to be transferred is what the data subject provided the first data controller and it should be transferred electronically, if technically feasible.
- Can you export the personal data to a machine-readable file, e.g. an Excel spreadsheet or CSV file?
- Can you receive the same information into your systems?
- Is there an industry standard for your organisation?
Article 21 – Right to Object
The data subject has the Right to Object to any processing including those done under legitimate interest, unless the data controller can demonstrate compelling legal grounds that overrides the rights and freedoms of the data subject, and any direct marketing. For direct marketing this is best demonstrated by the ‘Unsubscribe’ feature shown at the bottom of marketing emails. Information about the Right to Object must be given to the data subject when first communicating with the data subject and it must be clearly and separately displayed.
- Do your marketing messages have an ‘unsubscribe’ button?
- Can you exclude a data subject from future messages when they have unsubscribed?
- Do you give the data subject this information when you first communicate with them?
Article 22 – Automated individual decision-making, including profiling
Automated decision-making will become increasingly common given the rise of Artificial Intelligence and machine learning technologies. It provides huge benefits to the company, in terms of reducing its cost base, and also provides customers with a much faster service. However the GDPR states; “The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her”.
A good example of this is when you are searching for car insurance, or when you are applying for a loan online. In such an instance you enter all the relevant details and the website returns a quotation based on your answers. If the company decides not to offer the data subject a product or service, then the data subject has the Right to insist on speaking to a human being, either to appeal the decision or ask for reasons why their application has been declined. Depending on the process, it may be necessary to give the data subject information about the parameters that might affect the decision. However the data controller does not have to give away all its trade secrets on the algorithms it uses.
- Does your organisation have the necessary customer service resources to field calls from data subjects who want more information about the automated decision-making process and / or if they want to challenge a particular decision?
In addition to the practicalities described in each section above, a data controller should consider the following:
- In order to be able to quickly and efficiently find a data subject’s personal data, and within the one-month period stated by the GDPR, it is advisable to have conducted a Records of Processing, or data mapping, exercise.
- A data controller must be able to verify that the person they are communicating with about exercising their Right, is indeed the correct person. Social engineering is one of the major causes of identity fraud and so organisations must assure themselves, as best they can, that this is a genuine request and not an attempt to steal someone else’s data, so that a crime can be committed.
- Aligned to the above point, organisations must have robust procedures in place to deal with a data subject exercising any of these Rights, and those who are likely to be in the front line for dealing with such requests are trained on their use.
These new and enhanced Rights mean that the data controller must have the freedoms and interests of the data subjects at the heart of their personal data processing activities; irrespective of whether these processes involve customers or employees. The European Data Protection Board is so keen on ensuring that individuals are not taken advantage of by unscrupulous companies, that they have put non-compliance with Articles 12 – 22 in the top bracket of fines and sanctions.
Naturally if you want or need help or advice on this topic then please contact us at firstname.lastname@example.org