Handling individuals’ rights to control their data
From its inception, the GDPR (which came into force on 25th May 2018) was designed to strengthen the privacy rights of EU citizens. Although some argue it hasn’t gone far enough, the Regulation still introduces a range of new requirements. The rights to access, erasure, rectification and data portability need careful consideration, along with the right to object to direct marketing, profiling and processing under legitimate interests.
Individuals also have a right to be informed about the processing of their data. In a move aimed at ending small print in privacy policies, the GDPR clearly stipulates this must be done in a concise, transparent, intelligible and easily accessible manner. It must be written in clear and plain language, particularly if addressed to a child and subject access must be free of charge.
It’s important for organisations to ensure new policies, processes and systems recognise these new and revised rights.
Increased Subject Access Requests?
Right of access is not new, but the removal of the £10 fee under the GDPR marks a significant change, and is likely to drive up the number of Subject Access Requests (SARs) (you can only charge a reasonable fee when a request is manifestly unfounded or excessive, or when requests are made for copies of the same information).
There is also less time to comply with requests; information must now be provided without delay or at least within one month of receipt (controllers have a limited right to extend this period up to three months if requests are complex or numerous, but in such cases you must inform the individual within one month and explain why the extension is necessary).
It’s advisable to review subject access procedures to ensure compliance. It may also prove a valuable exercise to assess how much SARs currently cost your organisation, and prepare for a significant rise in volume. Can you move resources to this area as and when necessary, or will you need to budget for additional resources?
Are you adequately informing individuals of their rights to object?
In addition to the right to object to direct marketing (which is an absolute right with no exemptions), the Regulation provides for the right to object to profiling and processing under Legitimate Interests.
Data controllers should have audited their organisation’s data protection notices and policies to ensure individuals are being clearly told, at the first point of contact, using plain and concise language of their rights to object. What profiling techniques do you use? What do you need to tell your customers?
Can you fulfil the right to erasure (to be forgotten)?
This right allows individuals to request that you erase their data from your systems (with specified exemptions). It’s a right that already exists in relation to search engines, as highlighted by the numerous cases involving Google.
It is advisable to assess the practicality of complying with erasure requests, especially if you have personal data on legacy systems. You also need to consider whether data should be erased completely or added to your internal suppression file. For example, if you delete a record entirely, you may acquire it again and run the risk of processing it and sending an individual marketing in the future. Any data held on suppression files should be that minimal required for the purpose.
Are you able to fulfil the right to data portability?
This new right confirms the concept of personal data property and provides individuals with the ability to;
a) receive personal data concerning them in a structured, commonly use, machine-readable and interoperable format,
b) transfer the data to another controller
c) request their personal data be directly transmitted from one controller to another, as long as this is technically feasible.
The move is aimed at making it easier for individuals to transmit personal data between service providers. It presents a challenge for controllers, who will need to ensure they can, free of charge, comply with a request within one month of receiving it (this can be extended to two months if the request is complex or repeated, but you must inform the individual within one month to explain why an extension is necessary).
If your business activities are affected by this right, you need systems in place to uphold it.
Are your systems capable of storing multiple data choices at an individual level?
For controllers processing personal data on an extensive scale, significant investment may be required for sophisticated customer preference management enabling you to store a number of different choices made by an individual. For example, can you store information that a person has opted out of telemarketing, opted in to email marketing and objected to profiling? Can you do this across your brands?
Strengthened privacy rights means more opportunity for individuals to seek compensation. The Direct Marketing Association has already warned of the rise of data protection ambulance chasers. A proliferation of no-win no-fee data protection solicitors is already evident. Organisations need to be prepared for emboldened consumers asking them directly and more frequently for compensation when they believe a data breach has occurred. If compensation is refused, they and their solicitor may have recourse to the Courts. While compensation payments are likely to be low, losing a case could erode your brand reputation.
Satisfying individuals’ rights under the GDPR has certainly be more complex, but good handling of data queries will earn trust and ensure continued engagement.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.