GDPR: Data Subject Rights

Napthens - October 16th 2017

The GDPR brings a new level of protection to the rights of individuals which organisations will need to consider carefully.

A “data subject” is any individual who can be identified or distinguished from another, from personal data held.  Rights of data subjects are intentionally strengthened in the new regulations from being able to restrict certain processing, to being able to receive personal data and transfer it to another controller (which will be known as “data portability”).

In this article, we look at some of the key changes to specific rights and how these might influence the way businesses receive, store and transfer personal data.

Information

  • Data controllers must provide data subjects with information about their processing activities. This must be in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
  • Article 13 contains an explicit list of what must be disclosed to data subjects at the time personal data is collected - some of these are already contained within existing data protection legislation and practices, but many are new and will certainly require updates to any fair processing notices/privacy notices and declarations.

Access

  • Many businesses will already be familiar with the concept of a subject access request. The GDPR retains and enhances this right for individual data subjects to request access to their data which is being processed by a controller.
  • Data controllers will also now be obliged to put in place a clear process to enable data subjects to exercise this right, and make it free to exercise (other than for exceptional instances of manifestly unfounded or excessive requests). This means the £10 charge allowed will be abolished for all but exceptional cases.
  • Controllers must also respond without delay, and in the majority of cases will now be required to do so within one month. In addition to these points, controllers must now use all reasonable measures to verify the identity of the data subject, before granting the request.  This means in practice an additional requirement to carry out verification, and will likely mean you to need to review as well as update the processes to be followed by the relevant teams including HR, marketing and customer service functions.
  • Being able to establish quickly what data is held about a particular subject, where it’s stored, and by whom in the organisation, is also key to being able to meet this increased burden- so consider carrying out a regular data inventory which will provide this up-to-date information at your fingertips.

Rectification

  • Data subjects retain the right to get incorrect information corrected by the controller, and/or complete incomplete information. The controller is also obliged to notify any third party processors of the request for rectification, so will require a detailed understanding of where personal data flows into and out of the controller’s own systems.

Objection

  • The GDPR brings broader rights for objection to processing. Data subjects retain the right to object to processing of personal information for direct marketing.  But beyond this purpose, the burden of proving a “legitimate interest” for the processing of personal data now falls to the data controller.  This means if a data subject objects to their information being held and used, businesses will need to demonstrate compelling grounds to continue to do so.  This change is likely to lead to an increase in objections.
  • Businesses would be best advised to consider if there are specific legitimate reasons for holding personal data – from the angle of both the data subjects on which information is stored, but also the specific items of data held.

Erasure

  • Also known as the ‘right to be forgotten’, this provision gives individuals the right to have their personal information erased by making a request to a data controller. This is restricted to specific grounds being met, but will impose the requirement for businesses to erase (delete or destroy) all personal data relating to an individual in circumstances where these grounds apply.  This will include the scenario where a data subject withdraws their consent to processing, and the controller has no other legal ground on which to rely.
  • As already discussed above, being able to pin-point where data is held will become crucial in ensuring this legal obligation can be met. Establishing the legal basis for processing will also be key, if you need to challenge a request to erase information.

Portability

  • A new concept of data portability will be introduced by the GDPR. Data subjects will have the right to be provided with their data in a structured, commonly used electronic format.  This will mean they can effectively be provided with their own data, as compiled and stored by one processor, to pass on to a separate processor.  This raises questions for how businesses can, with a balance of ease and security, extract and transform data – particularly where this is being held across multiple systems.

Restriction

  • Data subjects can exercise the right to restrict processing of data in certain circumstances. In these cases, apart from storing “static” data, information can only be processed (or used) either: with the data subject’s consent; in connection with legal claims; or, to protect the rights of others.  This right is likely to become exercised when there are circumstances where the legality of processing is contested, or information needs to be retained in connection with legal proceedings, but can no longer be lawfully processed for the original purpose it was collected.
  • This additional burden on businesses will again reinforce the need to be able to identify where data is stored, and “lock down” or freeze specific records, including exclusion from automated processes such as batch updates or interfacing.

Given the breadth of new requirements, it would be wise for businesses to begin to consider updates to their policies, systems and procedures.  A particular focus should be given to how your business will respond to subject access requests, or individuals making requirements in relation to other rights such as data portability, rectification or erasure.  Being able to quickly and accurately locate all relevant data, where this may be spread across a multitude of systems and storage methods, will become a key strategy to future success.  Having in place clear training, procedures and checklists will all support a structured and robust response.

Napthens can assist further, with practical support to perform information audits and advise on the design of processes and policies to support you in managing personal data.  This includes interviewing members of staff and looking at your processes and procedures along with delivering practical training to your employees on “how-to” of good data practices going forwards.

For more information, please contact our GDPR specialists on 01772 888 444 or by email to GDPR@napthens.co.uk