Part 3 of a Basic Guide introducing you to Data Protection and GDPR
This article forms part of a collection to introduce you to what Data Protection and ‘GDPR’ are. It’s based upon staff training that we’ve provided for companies to make sure they had a basic working knowledge and were able to take the steps to protect individuals personal information in their care.
This guide takes you through the overview and basics of the individual rights guaranteed to data subjects under the GDPR. If you have any questions or require consultation or guidance please don’t hesitate to contact me to discuss further.
What are Data Subjects rights under GDPR?
Under the GDPR if you’re an EU citizen (or post Brexit a UK Citizen as the GDPR was enshrined into UK law as the Data Protection Act 2018 and had not yet been repealed) or the company in which you are dealing with is based in the EU (or the UK) then you have the following rights about how companies/governments and organisations can use personally identifiable data.
- The right to be informed
- The right to access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
These rights when exercised properly allow data subjects a better understanding and control over their personal data and how it is used. While this could be seen as a restriction on businesses it allows them to be more transparent with their clients/customers and restore the trust that has been eroded over the last decade. The protection of data subjects rights is protected and enforced allowing the ICO and data subjects now a much easier route and higher ceiling to seek judicial remedies against controllers and processors for any damages caused by the ‘misuse’ (Data Breach) of their data.
Let’s break each of these down.
First a quick reminder about the terminology of Data Subject, Data Controller and Data Processor.
- Data Subject – Is the end customer/client or user interacting with a company/organisation/government.
- Data Controller – Is who the data subject is interacting with and who is directing what should happen with the data.
- Data Processor – Is who processes the action for which the data has been collected (this includes storing it). A company can both be a Data Controller and a Data Processor.
To give an example – You (The Data Subject) might work at an IT company (Data Controller) and have submitted your financial information to them to be paid. Your company itself doesn’t handle it’s own finances and outsources them to a specialist accountancy firm (Data Processor) who take your financial details, store them and process as directed by your company.
The Right to be informed
The right to be informed requires Data Controllers to clearly state for what purposes the data they are collecting will be used, the lawful basis of the processing, along with who it will be shared with (such as third-parties), where it will be stored and generally data pertaining to it. This is generally performed (although not exclusively) through a privacy notice that is displayed clearly and prominently when and where the data is first collected.
Data subjects must also be informed of their other rights including how they can lodge a complaint within the company and with a supervisory authority against the controller (e.g. the ICO.
The right to access
The GDPR requires that Data Controllers must give Data subjects access to the data of which they hold about them, as well as the purpose for which that data was being held/processed, How they categorised it and what third-parties had access to it (and for what purpose). This information should include all elements of your personal information stored including their internal notes about you where applicable.
When a Data Subject makes this request to an organisation it is called a Data Subject Access Request (DSAR) and organisations have a legal duty to respond and provide this data in 30 days (with the ability to extend where the request can be evidenced as complicated or requires additional time to identify and verify the requester).
Organisations need to have a tried and tested procedure/policy in place in how to deal with such requests or find themselves at the mercy of the regulatory body (Here in the UK the ICO).
This request can come in any nature from Data Subjects – Email, Telephone, Letter – There is no stipulation or allowance of limitation in the GDPR for Organisations to restrict how this request comes in. Organisations also cannot charge for providing this data unless the can be evidenced as excessive (In which case they can charge a Reasonable Fee to cover any actual costs they would incur to provide it). Sadly however the GDPR is unclear on what the definition of excessive is and so would be up for individual organisations and their policies to defend.
Finally similar to charging a reasonable fee. Organisations can refuse a DSAR if again they believe that the request is excessive or unfounded, however again they would need to defend this and expect to be challenged.
The Right to rectification.
In a previous article, we discussed that a key principle of the GDPR was that organisations needed to make sure that the data they store is up-to-date and correct.
The right to Rectification means that the data subject has the right to rectify any inaccuracies in the personal data that an organisation holds about them.
Organisations must then “without undue delay” update their records accordingly. As the right to rectify comes hand in hand with the right to access and transparency most organisations where appropriate will allow data subjects to update the personal data they hold directly.
The best example of this is to think about your Amazon account where you have the ability to end your Name, address, telephone number, payment details and other personal information directly without having to contact Amazon.
The Right to Erasure.
Also more commonly known as ‘The Right to be forgotten’.
The Right to erasure allows data subjects to request that information about them is erased if they withdraw consent for that information to be held or if there is a legal issue with the original requirement for the organisation to process the data.
Depending on the size of the data held about you, this could be a difficult task for an organisation to complete at all, let alone quickly. Organisations must, therefore, have an advanced policy and procedure including a data map (showing where all data is held, how it is interconnected, and why it is held) to help them identify all locations from which the data will need to be erased – That is if it can be erased.
The Right to Erasure is not an absolute right, which means that organisations can reject it unless it meets any of the following conditions;
- If the Data Subject withdraws consent to the processing – and only if there is no other legal justification beyond consent to continue processing.
- If the organisation uses ‘Legitimate interests’ to defend the processing of the data and the Data subjects object to that legitimate interest – and again only if the organisation cannot provide an overriding legitimate ground for continuing to process the data.
- When the data subjects personal data is no longer necessary for the purpose for which the data controller collected it or otherwise processed it.
- If the data has been unlawfully processed, in breach of GDPR.
- If the data has to be erased under EU, Member state, or in the case of post-Brexit UK law that applies to the controller (e.g. If another UK Law says you can’t hold that data, it doesn’t matter if you’ve got a GDPR processing defence, it has to be erased).
- If the data was collected in relation to “Information Society Services”. Information Society Services are defined as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.”
The right to restriction of processing.
Data subjects have the right to restrict or suspend the processing of their data in strict scenarios. This is different from the erasure of data where processing is stopped permanently and all relevant data held is destroyed.
These scenarios are;
- The Data Subject contests the accuracy of the personal data, therefore the data subject can request processing is restricted until the controller can verify and correct the accuracy of the data held.
- The Data controller no longer needs the data or requires any processing however the Data Subject requires that the Controller maintain the data without processing due to an on-going legal claim where the data acts as evidence.
- The processing of the data by the controller or processor is unlawful, but the data subject does not yet want their data erased, yet.
- The Data Subject objects to the processing of the data in-line with the right to object and the restriction/suspension of processing is used while the controller investigates it has other legal grounds in which to continue processing the data (And if they don’t then it falls under the right to erasure).
like the other rights, it’s important that organisations have policy and procedure in place on how to enact each of these, including how to suspend and temporarily archive/segregate the data of the data subject that is restricting from the rest of the active and processed data. If data is accidentally continued to be processed after a legitimate restriction is in effect then this is considered a Data breach (Mis-use of data) and would likely require reporting to the Data Subject and the Regulatory body (ICO).
The right to data portability.
The right to data portability under the GDPR is designed to give Data Subjects a more accessible source of information. Essentially it ensures that data subjects can not only see the specific data that the data controller is holding but also transfer that data in a clear machine-readable format to another controller of their choice without cost or complexity.
The best example of this is when we look at Electricity Suppliers, Gas Suppliers or even Bank Accounts. This right within the GDPR means that you can easily request that your information be transferred to a new supplier in a way that they’ll be able to understand it and without you having to manually resupply it (Think about when signing up to a new current account and they transfer your payees, direct debits straight to your new account at your new bank).
Again it’s important that organisations have policy and procedure in place to be able to export the required data in a safe way, and then transmit it in a secure manner to either the data subject or to the data subjects new data controller.
The right to object.
Data subjects have the right to object to general or specific processing of their data. When this takes place it is the responsibility to then demonstrate the legitimate defence it has for processing the data which must at that point override the interests, rights and freedoms of the data subject or have a non-consent GDPR defence or legal claim.
Data Controllers have the responsibility to inform data subjects of this right when entering into a contract, consent or at the time they collect the data for first processing.
Similar to the right to restrict processing, Organisations should have a procedure/policy that allows them to quickly suspend the processing of data temporarily without affecting other data or without risking that the objected data is accidentally processed.
Data Subject Rights in relation to automated decision-making
The GDPR states that data subjects have the right “not to be subject to a decision based solely on automated processing, including profiling which produces legal effects concerning [Them]or similarly significantly affects [Them]”
This means that if you use an automated processing system such as a credit control framework and it rejects a customer automatically, that customer has the right for human intervention, to contest the results and obtain an explanation for the decision (where it would be expected that a human manually reviews all of the data themselves and give them a non-automated decision including explanation).