“This view of GDPR exposes nuances that aren’t obvious when looking at data-processing principles’”
Paul revisits GDPR from a different angle, looking at the various rights that it brings to individuals
Following on from my GDPRthemed column two months ago, readers got in touch to ask about the various “rights” they’ve read about in the press – “the right to be forgotten”, for example – and how these relate to the new dataprocessing principles.
It’s actually the same thing. Whether you look at the new regulation from the point of view of the data processor, as I did last time, or the individual, as I’m about to do here, the underlying rules are identical. We’re simply coming at things from a different angle.
This alternative view of GDPR is worthwhile, however, because it exposes nuances that aren’t obvious when simply looking at the dataprocessing principles. Much like those principles, the individual’s rights can be broken down into a number of categories, of which there are eight this time. I’ll look at each in turn.
1 The right to be informed When you process data about individuals, they have the right to be told what you’re doing with their data and why you’re doing it. It doesn’t matter whether you’ve obtained the data from the person concerned (because they’re an existing customer, say, or have signed up to your newsletter), or whether you sourced their data from a third party (perhaps from a mailing list provider).
So what information do you have to provide to individuals? Well, you’ll notice that it’s all about the data (where you got it from, what you’re going to do with it), but – in this right, at least – it doesn’t involve divulging the data itself. The information is all quite generic, and deliberately so, because the intention is that this information should go into a privacy notice, typically on a website. The information we need to provide is:
a) The details of your company’s data controller and data protection officer. Importantly, this needs to include details on how they can be contacted, and if you use an agency or other representative for data processing, it needs to include their contact details too.
b) You need to explain the “lawful basis” for the processing you’re doing and its purpose. You should be able to see how this dovetails neatly with the first and second key principles, and particularly the lawful basis tests that I described in the previous column.
c) If you’ve used the “legitimate interests” test to assert the lawfulness of the data processing (again, refer back to the first principle) then you need to spell this out – what the legitimate interest is, and who it applies to. Remember, it doesn’t have to be the interest of the data subject; you can use your own interest as a legitimate reason for processing marketing data, for example.
d) If you obtained the personal data from a third party then you need to spell out the categories of personal data you’ve obtained.
e) You need to let the data subject know whether anyone else will be receiving their processed data. This can either be a specific organisation, or a category of recipient such as “mortgage providers”. It’s sensible to do the latter, since it allows for future flexibility.
f) If, at any point in the processing or final delivery of the data, it’s
transferred outside of the European Union – to other countries or to international organisations – then you need to document this, and include the details of the safeguards put in place to protect the individual and their data.
g) You should spell out the retention period that you use to meet the fifth principle as discussed in the previous column. If you don’t have a fixed storage time limit (which is probably the case for most businesses) then you need to explain to the data subject how you determine the retention period. For example, you might explain how it differs for various groups of customers, and for different types of data.
h) I’ve no idea why this one sits in the middle (I’m following the “official” order of things here), but you need to tell the data subject of the existence of these rights. Shouldn’t that be the very first thing on the list?
i) You need to explain that if the person has consented to having their data processed (by ticking an opt-in box on a form, for example), they’re entitled to withdraw that consent at any time.
j) Tell them that they have the right to lodge a complaint with a “supervisory authority”, if they consider that the processing of their personal data infringes the regulation. In the UK, the supervisory authority is the Information Commissioner’s Office, or ICO.
k) If the personal data wasn’t given to you by the data subject, you must explain where you got it from, and let the person know whether it came from a publicly accessible or private source.
l) On the other hand, if this is about data supplied by individuals then you need to explain whether there’s a legal obligation for them to divulge it (perhaps, who was driving in the case of a speeding ticket), or a contractual obligation (such as the “have you ever had a speeding ticket?” question on a car insurance form). In both cases, you also need to spell out the consequences for the data subject if they fail to provide the information.
m) Finally, you’ll now need to explain to the data subject whether you’re going to do profiling or other forms of automatic decision-making based on their data. Critically, you need to offer details about how those decisions are made, including the significance of each data item and the consequences. In recent months, there have been stories in the press about people receiving different insurance quote prices depending on the email domain used when applying. GDPR says that this kind of thing needs to be spelled out.
As I mentioned, all of this information is intended to sit within a fairly standard privacy notice. The regulation says that this needs to be “concise, transparent, intelligible, easily accessible and written in clear and plain language” – in other words, not the lawyer-speak privacy notices that were common prior to GDPR!
2 The right of access
This is where things get more personal. The first right was generic, and can be covered by a one-size-fitsall privacy statement. This second right is all about the data subject getting access to their own data – the actual details you hold about them. The intention is that with this right they can verify that you’re processing their data correctly. On request, a company is required to first tell someone whether their data is being processed; and if it is, provide access to that data.
The regulation says that, in most instances, you should give access to the data within a month; and that you’re not allowed to charge for this unless the subject makes unfounded or repetitive requests. Even then, the charge needs to be reasonable and based on your actual costs. You have a right to refuse if the subject continues to bombard you with repeated and unwarranted requests.
One important aspect of this right is that you need to establish the identity of the person before providing access to their data. The regulation doesn’t lay down formal methods here; it just says you should use “reasonable means”.
3 The right to rectification
At first glance, this one sounds simple: GDPR gives people the right to have their personal data updated if it’s inaccurate or incomplete. As with the right of access, you have a month to sort this out with the data subject.
Things get tricky in cases where you’ve already provided the data to other parties. Here, you have an obligation to contact each recipient of the data and pass on the details of the update. Of course, there might be situations where this is impossible (you may no longer have contacts with the third party, or maybe they’ve gone out of business). Or you might determine that rectifying the data with third parties requires “disproportionate effort”. In this case, you can explain this to the data subject, and simply pass on details about who received their data.
But hang on a moment – “disproportionate effort” sounds a bit woolly, doesn’t it? You’ll find that most commentators gloss over that fact. Dig deeper into the regulation, however, and you’ll find that this covers such tasks as backups and
“If the person has consented to having their data processed, they’re entitled to withdraw that consent at any time”
archiving (even if you change the main database, the historical backups will still be incorrect, and it’s impractical to change them). Also, with regards to Purpose Limitation in the previous article, I explained that people can have restrictions placed on their rights to object when it comes to the processing of their personal data for scientific, historical or statistical purposes. That’s also covered under “disproportionate effort”.
4 The right to erasure
The right to erasure is what’s more commonly known as the “Right to be forgotten”. But that’s a misnomer; there isn’t an absolute right to be forgotten. The right to erasure is provided only in specific – albeit fairly broad – circumstances. The main idea is that it enables someone to request the deletion or removal of personal data, where there’s no compelling reason for its continued processing. But something like “because I don’t like your company” isn’t one of the specified reasons to invoke erasure. The specific circumstances are: a) The personal data is no longer necessary for the original purpose for which it was obtained or processed.
b) The person withdraws their consent. Note that this only applies where consent has been given – there’s much data processing that happens without specific consent, so this can’t be used for a blanket “stop processing my data” request.
c) The individual objects to the processing and there’s no overriding legitimate interest for continuing the processing, using the same legitimate interests test that I’ve referenced elsewhere.
d) If the person’s data has been unlawfully processed – in breach of the regulation.
e) Where the personal data has to be removed in order to comply with a legal obligation.
f) Where the personal data is processed in relation to a service offered directly to children.
There are a few circumstances where you can refuse a request for erasure. The first is if you wish to exercise your right of freedom of expression and information. This includes the processing of data for journalistic purposes and also for academic, artistic and literary expression. This represents a slight clash between two regulations designed to protect people – data protection vs human rights.
The other reasons you can refuse erasure are: to comply with a legal obligation for the performance of a public interest task or exercise of official authority; for public health purposes in the public interest; archiving purposes in the public interest; scientific research, historical research or statistical purposes; or the exercise or defence of legal claims.
As with the right to rectification, you should propagate this erasure request to any other parties to whom you’ve passed data. Thankfully, the “disproportionate effort” rule applies here too.
5 The right to restrict processing
Here, you can continue to store the data, but are restricted from processing it. It normally applies where there’s a dispute over data accuracy, or if you’re considering a request for erasure. The processing is effectively put into stasis.
An individual can also request this right when it comes to being included on a “do not contact” list. In this case, it’s permissible to store and process just enough of their data to ensure that the restriction can be respected in the future.
6 The right to data portability
There’s been much rubbish written about this. The intention here is to allow you to switch between providers of various services quickly and easily. The problem is that it’s vague. The regulation states that it wants to create a level playing field, but it doesn’t impose any interoperable data standards on suppliers. The only obligation is to provide customer data (and even then, only the data they’ve personally given you) in a structured, machinereadable format. That can be a basic CSV file. There’s no obligation to maintain systems that provide data compatibility with your competitors.
I think there’s a lot of work required for this right to become useful in the future.
7 The right to object
There’s obvious overlap here with some of the previous rights. This one is a belt-and-braces mechanism to allow people to opt out from direct marketing, from any processing using the legitimate interests tests, or from research. You can override the legitimate interests objection where there are legal claims involved, and the research objection where there’s public interest. You can’t override the direct marketing objection, though.
8 Rights related to automated decision-making, including profiling
Once again, there’s plenty of misinformation about this one. In essence, it states you should only use automated decision-making and profiling if it’s necessary for either entering into or performing a contact, and only with the individual’s consent. This affects areas such as risk-assessing someone applying for a loan, or using automated tests to determine whether an applicant is suitable for a job.
As you read through this list of rights, it’s obvious that many come from the data processing principles I went through in the previous column. When spelled out in the form of the individual rights here, it’s possible to see additional nuances that you need to cover in your GDPR compliance activities. I hope this article has been helpful in that regard.
“You need to establish the identity of the person before providing access to their data”