The General Data Protection Regulation (GDPR) – what is it and what should you be doing to prepare? Part Three06 Oct 2017
Part 3 – Rights of Data Subjects
This is the third in our series of articles summarising the upcoming changes to be introduced by the GDPR.
As mentioned in our previous article, data subjects, or those individuals whose data is held, already have various rights in respect of their personal data. The GDPR will strengthen and add to these rights. This means it is more important than ever for data controllers and processors to be aware of what these rights are, and how to comply with them.
The key rights are as follows:
1. Right to be informed – this means informing individuals in writing, when their data is collected, about who you are and how you will use their data. This information must be provided free of charge in a concise, transparent, intelligible and easily accessible manner.
2. Right of access – this is the individual’s right to access the personal data you hold about them. Access should be provided free of charge, although a reasonable charge can be made if the request is repetitive or unfounded, within one month of a request. Where appropriate, access to the information can often be provided through secure self-service portals.
A business therefore needs to be aware of exactly what information they are controlling and processing in respect of individuals. They should also begin identifying the most secure and efficient method for responding to such requests.
Offering secure self-service portals may involve a change or upgrade in IT systems, and so advance preparation here will be very important.
3. Right to rectification – individuals are entitled to have data amended and/or updated if it’s inaccurate or incomplete. Rectification must generally be carried out within one month of the request.
Staff should be aware of these rights and ready to act should such requests be received. Again, IT systems will need to be primed to carry out prompt rectification.
4. Right to erasure – individuals have the right to request deletion of their personal data where there is no longer a ‘compelling reason’ for its continued processing or holding. This would include where the information is no longer required for the purpose for which it was collected, consent has been withdrawn and/or there is no legitimate reason for continued processing. In addition, where an individual exercises their right of erasure, controllers must also inform any entities who have received a copy of that data.
Of course, erasure in the modern day can be particularly difficult, given the extensive back-up copies taken by many organisations. So far, it’s unclear how far businesses will need to go to prove compliance with this right but we suggest, at the very least, that steps will need to be taken to remove more than just the easily accessible data.
5. Right to restrict processing – individuals have a right to stop processing of personal data. This right can be exercised where: the accuracy of the data is challenged, there has been an unresolved objection to processing, the processing is unlawful and/or if the data is no longer required by the controller but the individual requires data to establish, exercise and defend legal claims. If this was the case the individual could require an organisation to retain data which they would otherwise destroy.
6. Right to data portability – this allows individuals to obtain and reuse personal data for their own purposes using alternative providers. This will require organisations to adapt their systems to allow for the transfer of data they hold to another entity. Such a transfer must be made within one month of the date of request.
As an initial step, businesses will need to analyse their IT systems and review their ability to carry out such transfers. Again, staff would need to be trained to deal with such requests within the appropriate time frames.
7. Right to object – individuals have the right to object to the following:
- processing based on legitimate interests;
- direct marketing; and
- processing for purposes of scientific/historic research and statistics.
In addition, when using data for direct marketing purposes, businesses must tell individuals of their right to object at the first opportunity and also in each subsequent communication sent to them. For example, for email marketing, this will be in the first email sent following collection of an individual’s details.
Businesses may need to review their data collection processes to ensure that information about the right to object is given at the outset. In addition, systems should allow for immediate ceasing of any processing once a request has been received.
This article provides a brief overview of the rights of data subjects, many of which businesses should already be complying with in some shape or form already. To ensure you are in a position to comply with the GDPR when it takes effect, we recommend that you start taking steps to prepare now.
Our next article will deal with the upcoming changes to the concept of consent and will provide some practical guidance as to how to obtain viable consent.
For further information relating to the GDPR and data protection, please contact us or call a member of our team on 0161 832 3434.