22 February 2018
GDPR: The rights of individuals and how to adhere
Are you GDPR ready? With just a few months to go until the EU General Data Protection Regulation comes into force, here are the key facts around data subject rights and what you can do to stay compliant.
GDPR provides rights through the relationship between data controllers and data subjects. But what are data controllers and data subjects? And what are the rights of the individual?
Essentially data controllers (or data processors, who process data on behalf of data controllers) are the individuals or groups, usually at a company, who process data. Data subjects are the people about whom data is collected.
Under the new rules, this relationship is crucial, as an agreement must exist between the two parties over any data that is retained. Transparency is essential too, as data subjects should always be fully informed on the personal data being gathered and held about them and for what purpose it is kept.
Access requests
As an organisation, you must only process data that is relevant, legal, and it must be securely handled at all times. This is not just a process for keeping data safe – if someone asks to see a record of their personal data and what this consists of (other than where an exemption applies), then it must to be provided quickly and in full; this is called a ‘data subject access request’.
Staff at your organisation need to know how to deal with a subject access request or at the very least, who to pass it on to. When requests are forwarded, this will generally be to the data protection or privacy officer who should typically oversee the whole request, but at the very least give clear guidance to the relevant staff, so they can correctly follow the right procedures.
When a data subject access request is made, you and your staff need to know what kind of personal information is being processed and how to locate it.
The right of access
This information will include the personal data you are processing about the data subject and that which has been collected from the subject, or information about the subject that has been collected from another source. Processed data may be data you have been permitted to use by the subject. For example if you are their employer, or if you have been sent information from its original source elsewhere; such as when an external agency has initially processed the employee’s data. The data subject has the ‘right of access’ to this information and must receive a copy of their processed personal data whenever they make a request for it.
The right of access has been around since 1984, but the media may still (in the run up to the GDPR) promote this as a ‘new right’, which could lead to a spike or increase in requests. Although the right of access has been strengthened under the GDPR, most organisations will already have good practices in place for handling the requests.
Automation and breaches
Something discussed under the GDPR is automated processing, which often falls under the banner of ‘profiling’. This term refers to processing a person’s personal data to create a picture, or ‘profile’ of who they are. This might include their age range or gender, perhaps occupation - details often used to sell products or to make decisions on their financial status by a bank or loan company. Even when profiling is otherwise lawful, a data subject can in some cases request its removal, due to the way it is collated.
Responsible organisations work hard to prevent any personal data being compromised, stolen or shared inappropriately, but unfortunately breaches do occur. While this may be the case, generally breaches are avoidable through handling data correctly.
As an organisation you must have a personal data breach policy and within that, a breach notification policy. In some cases, breaches will need to be reported to the Information Commissioner’s office and sometimes, data subjects too.
Data mapping
One way to ensure that data is managed effectively and securely is to understand what data you have and how it is administered within the organisation. Data Mapping is a useful way of doing this. Not only does it help you to identify the key information you process and documenting how it moves between departments or organisations, it also ensures you maintain appropriate details on why personal data is being processed, who for and how long it will be used. Additionally, data mapping will help you to identify privacy risks, which in turn will help you with your data protection impact assessments.
When you consider data handling practices, it is important to remember that GDPR will cross over with other data protection legislation, in the form of the new Data Protection Act 2018. This is an example of a set of state laws which may add to or provide exemptions from some elements of the GDPR.
In addition to requesting a copy of the personal data you process, data subjects have several other rights, including the ‘Right to Erasure’. Described as ‘the right to be forgotten’, this may apply where there is no need for the data controller to continue to process the personal data.
The right to erasure applies if the personal data is no longer required for; the purpose it was gathered, there is a legal obligation to delete the data, or if a child’s data is gathered without parental consent. The data subject can also choose to withdraw consent or use the ‘right to object’ if they disagree with the reason the data is held, such as if it is used purely by sales teams.
The right to erasure means that data subjects can always find out which of their personal information is held, why it is being kept and if dissatisfied; how it can be removed. In cases where satisfaction is not met, there is also a right to object, the right to rectify any mistakes with data handling and the right to data portability, a right to have information sent directly from the data controller to the data subject, in an agreed and easily readable format.
Legitimacy of data
Sometimes the rules under GDPR seem complex. Where there is the intention to process personal data for the purpose of direct marketing then normally consent is required. Remember though that a data subject still has the right to opt out or exercise their right to object under Article 21. In the past, people had to opt out of their data being processed for things like direct marketing, whereas now they must opt in, which may create work for organisations, but GDPR should be regarded as a common sense approach to protecting individuals, and a way for organisations to process personal data responsibly.
If data is processed for a legitimate, legal reason then used to inform historic, scientific or statistical data; the data subject should not have the right to erasure. If instead, data is processed for these purposes without a legitimate reason then storing it is not allowed under the GDPR.
Something important that companies can do to prepare for the GDPR, is to update their privacy policies, as it is a legal requirement and needs to be ready before the GDPR comes into effect.
Your responsibility under GDPR is to let data subjects know that you are using their data, processing it in the right way, keeping it secure and only using it as long as they are happy for you to do so. This approach offers transparency, and will build trust long after the GDPR comes into force.