This e-book is derived from a full GDPR course I created that has had over 11,000 student enrolments. I thought it would be useful to provide a version on Medium. Data protection law can be complex and an e-book cannot be sure to cover your organisation’s circumstances, so be sure to seek professional advice if you have any doubts when processing personal data.
In this chapter I cover the rights that the GDPR gives to data subjects.
One of the highest profile areas of the GDPR, probably second only to scary stories about massive fines, is the subject of data subject’s rights.
The GDPR rights are designed to give data subjects control over their personal data. Put simply, they ensure the data subject knows what their data is being used for, allows people access to their data and gives people the power to control their data should it fall outside a lawful basis of processing.
The operation of the enhanced rights are governed by regulations that stipulate, amongst others, that organisations must cooperate with any requests, must not charge individuals for exercising their rights and must respond to requests within specific timescales. If organisations ignore or fail to respond to people attempting to exercise their rights they may be referred to the regulator for investigation. As a general rule, organisations must respond to requests within one month of receiving a valid request and ensure their communications are transparent in their meaning and are written in clear plain English.
There are 8 individual rights. We’ll go into them in detail as it’s important as these are the key ways in which data subjects will interact with organisations that process personal data.
The right to be informed
Every data subject has the right to understand what data about them is being gathered, who is gathering it and how and why it will be processed. Normally this is achieved through provision of a “fair processing notice” that contains the necessary information. Most organisations that collect personal data already provide data subjects with a privacy notice at the point where their data is being gathered, for example, you will normally see a privacy notice as you sign up for an online service. This also explains why you see those pop up notices that appear when you visit a new website.
Where personal data is obtained from a source other than the individual, a fair processing notice must be provided in a reasonable time period after the data was obtained. At the very latest, the fair processing notice should be given within one month of obtaining the data or at the point where any communication takes place with the data subject, whichever happens first.
Privacy notices must cover a number of specific points that are set out in the regulation. Various elements, such as the identity of the controller, the reasons and lawful basis for processing and retention period must be included for the notice to meet the requirements.
Privacy notices must be clear and transparent, giving people enough information to exercise their other rights.
The right of access
Every data subject has the right to see the personal information that is being held on them by an organisation. This is a very similar right to that under the old UK Data Protection Act although, in common with most of the GDPR, the requirements are more explicit with more obligations on the Data Controller.
Data subjects can request information about their personal data that may be being processed using a process called a Data Subject Access Request. There’s no set format for an access request, for example, it is worth noting that the ICO guidance states that requests may be made via social media pages, such as company Facebook pages, as well as more traditional methods. In contrast with the old Data Protection Act, no fee is chargeable for the service.
Data Controllers must respond within one month of receiving a request and must offer access to all the personal data they hold on the individual. However, it is not necessary to duplicate the data if it is held in more than one place, for example, if a customer’s name and email address exists in a sales database and an order fulfilment database, it will suffice to simply supply the name and email address once.
In addition to supplying the personal data, additional information relating to the the processing activities must be included; this largely mirrors the type of information that must be provided in a fair processing notice.
The right to rectification
People have the right to ensure that data held about them is accurate. The right to rectification means that organisations cannot refuse to correct data that should be corrected. This can also include requests to add more information to incomplete data. In many circumstances there is no reason why data would not be corrected immediately, however, in some circumstances proof may be needed before a correction is made. For example, a bank is unlikely to accept a request to change a customer’s name and address without some form of proof due to the risk of fraud.
In reality, most organisations need accurate data in order to serve both themselves and their customers so in many cases serving the right to rectification will be a routine activity.
The right to erasure
Individuals have the right to have data about them deleted if it is no longer needed for the purpose it was collected. This right is designed to protect people from having their data held long after it was collected.
The right to erasure is not an absolute right however. Where there is a lawful basis of processing, it may not always be appropriate for organisations to delete personal data on demand.
The approach to erasure depends on the basis of processing that exists. If the processing is for legal or contractual reasons, it is likely that a request for erasure should be refused as it would be against the law or would mean that a contract can’t be fulfilled. Similarly, it is likely that government bodies engaged in activities mandated by a public task basis of processing may feel that they should refuse erasure requests.
If processing under Legitimate Interests, it is possible that a request could be refused if the organisation was sure of its grounds for retaining the data and the organisations interests are considered more important than the impact of processing on the individual.
It is unlikely that a request would be refused where data is processed on a basis of consent from the individual. This is because the act of requesting erasure of personal data should be seen as a clear signal that the data subject’s consent has been withdrawn.
As the right to erasure applies where an overriding basis of processing does not exist or where processing was based on consent and that consent is withdrawn, the simplest approach for any organisation is not to process data without a robust basis of processing.
The right to restrict processing
There are a number of situations where a data subject has the right to request that processing of their data be suspended or processing restricted. When a request has been received, the data must no longer be used for the purpose it was gathered and can only be stored. This right is designed to protect individuals from having their data processed whilst issues are resolved.
A data subject can request restrictions on processing when they have concerns over the accuracy of their personal data being used. For example, an individual may dispute a letter from their mortgage company which says they have missed 3 mortgage payments because this could affect their credit history. In this example, the individual might respond to the mortgage company with evidence of the payments they have made and request that their credit file is not updated while the issue is resolved.
Restriction of processing may be the preferred course of action when it is determined that data was being used unlawfully but the data subject agrees that it can be retained for some reason; including in order to manage any complaint about unlawful processing! For example, where data is needed as a part of a legal claim, it may be appropriate for data to be retained and restricted from use.
It is possible that a data subject may dispute processing under a legitimate interests justification. In this case, they may request that processing is restricted whilst the basis of processing is tested.
Data that is restricted should be suspended from all usual processing apart from storage, however it may be possible to further process the data with the explicit consent of the data subject.
The right to data portability
The right to portability is designed to allow data subjects to receive from a Data Controller a copy of the data that they have provided in a “machine readable format”. This right only applies where data was gathered with the data subject’s consent or in order to deliver services contained in a contract. Think for example about the amount of data provided to social media sites; this right allows the data subject to receive a copy of their data in a computerised format. Once received, the data subject is able to pass the data to a new provider, hence “portability”.
A “machine readable format” is legal-speak for an electronic copy in a common format, for example, comma separated spreadsheet files. This does not necessarily mean it must be readable by the individual, since that right is contained in the data subject access rights.
If a mechanism exists, the data subject has the right to have their data passed directly from one Data Controller to another, perhaps to port a service between providers. In reality, unless an industry process exists for transferring data between Data Controllers, transmission between Data Controllers is likely to be theoretical only. However, some industries already do this, for example, the UK electricity industry allows data to be passed between suppliers so customers can switch provider.
The right to object
The right to object to processing is available to individuals when their personal data is being processed under the following conditions;
· Under a legitimate interests justification
· In the public interest or when an official authority is exercising its public duty
· For scientific, statistical or historical research, or
· For direct marketing purposes
The right to object is triggered by the data subject making a formal objection, but there are conditions attached that must be met for the objection to be valid.
In order to make a valid objection, the individual must be able to point to grounds relating to his or her particular circumstances. This allows the organisation to respond based upon the merits of the case. While considering the objection, it may be appropriate for the organisation to restrict processing whilst the case is considered. This means that the right to object and the right to restrict processing will often be used together.
It’s a tricky area, so let’s look at an example. Let’s imagine an organisation that records CCTV footage of a public area that leads to a doorway into their offices. A passer-by may object to having their image processed citing their privacy. In this case, the organisation may choose to temporarily switch off the recording whilst they consider the case. In this case, the organisation may decide that they will refuse the objection by claiming a legitimate interest in defending their property. In this case, it may be reasonable to argue that there is little privacy impact on the complainant in exchange for considerable benefit to the organisation through effective security. However, if the camera is pointed at a public space then it may be harder to refuse the objection as the legitimate interest is weakened.
In this example, there’s a nuanced decision that depends on the circumstances, and, should both sides disagree, it may end up being tested by the law.
There is, however, one area where there are no grey areas; the GDPR introduces an absolute right to object to direct marketing. Objections to direct marketing cannot be refused by the processing organisation.
Automated decision making and profiling
Individuals have particular rights in relation to automated decision making by computer algorithms. The aim of this part of the regulations is to protect people from having decisions made by computer systems without any way of responding or seeking redress. The right means that people can object to processing by automated processes and can request a review of the decision by a human being,
This does not mean that automated decision making is prohibited. Artificial intelligence and computerised decision making is becoming an increasingly common part of our lives; the regulations simply aim to provide certain safeguards to protect individuals from the consequences arising from this development in technology.
The GDPR is clear that people have the right not to be subject to automated decisions or profiled where that automation results in significant or legal effects. This is important as it’s the difference between trivial effects of a decision and those protected against by the regulation.
Significant or legal effects means a resulting consequence that has a negative impact on the individual. These could be something like the refusal of a service (such as refusing a car loan or rejecting a membership application). Other examples could be updating someone’s credit risk file or adding to their criminal record entirely by automated means.
This means that activities such as profiling a customer database against socio-economic profiles in order to understand the distribution of high income customers will not run the risk of objection because there is no legal effect on the customers. However, even when automated processing is unlikely to receive objections the organisation must still tell individuals that are processing in this way and must ensure there is a lawful basis for processing in place.
If we extend the example, perhaps envisaging a situation where the profiles generated were then used to make a decision about whether to permit a customer to apply for credit without taking any other information into account, then there is a good chance a significant effect would occur.
Whilst people have the right to object to automated processing, there are some exceptions to this right. If the individual has provided their consent (which can be withdrawn at any time) or if the automated processing is necessary for the performance of a contract then objection don’t make sense. For example, if you sign up to a service that uses a specific algorithm to analyse data, such as an online personality test, then you cannot object to the outcome or request a human review when the actual purpose of the service was to use the automated service in the first place.
As a general rule, if organisations are using automated decision making or profiling and it is likely to have legal effect, then they should ensure that data subjects have the right to question the way in which decisions are made and to seek human oversight over the process.
Finally, the rights to erasure, restriction and rectification come with a further obligation on the Data Controller. If the personal data affected has been passed onto other parties then they must be told about the request from the individual so that the request ripples out to wherever their data is being used. Organisations must also, if requested to by the data subject, supply a list of all of the other parties involved in processing their data so that they can check that their data has been changed in line with their request.
The notification obligation also applies when personal data has been made public, for example, when a news article is published. Should a legitimate request under the GDPR rights be received, the publisher must take reasonable steps to inform any third parties who may have circulated or republished the data.
If you enjoy reading stories like this and want to support me as a writer, consider signing up to become a Medium member. It’s $5 a month, giving you unlimited access to stories of Medium. If you sign up using my link, I’ll earn a small commission.
Here are the links to the rest of the book.