The GDPR, the General Data Protection Regulation, is enforceable from 25th May 2018, the law was passed into effect in 2016 and was then moved to a transitionary phase to allow businesses and organisations to adapt. I will be discussing some of the aspects of the GDPR as I navigate helping businesses and organisations I am involved with change to reflect the new legislation.
In this article I am going to focus on the rights that are granted to the user, client or data subject. This is an important section of the GDPR and one which, even in this long article, I only just cover the broader elements.
Data Collection and the Data Subject
The GDPR brings in a few important changes to the management of user data, or rather more specifically to the manner in which a user can see and manage data that you (where you are a controller or a data processor) may have about them.1
The specific rights that are afforded to data subjects are all contained within Chapter III ‘rights of the data subject’ and are summarised in Articles 12 through to 23. I am going to summarise Articles 12-21 here. This is a brief guide and as such should be used only as an introduction to the specific sections of the GDPR.
1. Transparency
Data to be stored in a transparent (to the data subject) manner and allow communication on what data is stored or processed.
The data you collect, whether or not it is used for processing, must be able to be shown to the data subject (the person you hold the data about) and you have to let them know how they can access this data. There are very few exemptions to this and they mostly concern processing of data that is official or relates to non-legal activities. For most organisations it means the data you have collected must be clear, concise, and available to the data subject at their request.
2. Collection of Data
Information on where data is collected and what data is collected. This includes data that is collected from a 3rd party, or from another entity, or publically available data.
This is very specific. For each piece of data you collect you must provide:
- contact details of whomever processes it;
- details of their DPO (data protection officer or DPC data protection controller);
- the reason for use and legal basis;
- any categorisation and any point you pass the data onto someone else;
- length of time stored;
- any legal processing;
- the existence of their rights;
- the right to withdraw consent;
- right to lodge a complaint;
- where the data comes from;
- any automated decision making done from the data;
- if it will be disclosed to any other person or party;
- If the data will be used for any other purpose than that which it was originally collected.
There is an onus on the data collector to make this a simple and easy to understand process, it must be performed within one month and the consent must be explicit and not inferred. There are a few caveats concerning scientific, legal and exemptions but these will not apply to most companies.
3. Access and Reasoning
The data subject will have the right to access the data that is being held about them. They should be able to know such things the reason for processing the data, what categories are personal and who receives them. Which is broadly in line with all the rules concerning processing in the above section.
If you simply follow the rights above you satisfy most of the conditions for rights of access. The important difference is that you should not affect the rights or freedoms of others (not the data subject) by allowing this access and rights.
4. Data Changes
The right to change data is enshrined into law as the ‘right to rectification’, this allows a data subject to change any incorrect data that is being held about them. This goes so far as having a method to allow a user to change their data.
5. Deletion
Right to erasure, which is basically a method to be forgotten, to have data removed and if possible all data removed. Users have the right to make you delete all the data you hold about them and you should have a method to do so.
There are a few exceptions to this right but they concern legal processing and the rights of others where there is legal claims or precedents. For the most part any individual can view, amend or delete some, or all, of the data you hold about them.
If this data is now in the public space, or controlled by a third party you are obliged to take steps to remove it, within the bounds of technical capability and cost.
6. Restriction of Processing
The user can also request a restriction on data processing if they believe that the data is inaccurate, or they oppose the usage, where there is a legal reason or where they object to the legal grounds you believe you have to process the data.
This allows an individual to hold the processing of data about them while this is investigated and if their complaint is upheld the processing must stop. If however the controller is allowed, or believes they have the right, to process the data they are now required to inform the data subject of this before they continue processing data.
7. Communication and Requests
Any changes that are requested by rectification, erasure or restriction (change, delete or hold processing) shall be communicated to the individual data subject (unless this is impossible or disproportionate in effort). Where this is not possible, or where there are 3rd party controllers the data subject will be informed of this.
So you must keep clear communication at all times and if there is an impossible effort, people who have data but do not respond or verify what they have, or where it would be simply disproportionately expensive you should state this and why it is an issue.
8. Portability
The user can also receive all the data that a controller holds about them and be given it in an easy to transmit format. So a machine readable file with structured data. This is the right of portability and it allows users to move their data around.
There are cases where this can be denied such as contractual, legal or situations where clear consent is given to not have portability but that the data can be changed, deleted or processing stopped.
However a data processor has to provide the means to transmit the data to another controller if this is technically feasible. So a method of sending machine readable structured data by request should be sought out.
9. Profiling
The user has a right to object to the processing of personal data where it relates to profiling of that data. This is especially true, and separately stated, if that processing is for marketing and direct marketing. If a data subject objects to direct marketing, or withdraws their previously given consent, it must stop immediately.
Further to this the user must be informed of their ability to object, and that it must be ‘explicitly brought to the attention’ and presented ‘clearly’ and ‘separately’. There is a further onus that collected data services must provide an automated means to refuse processing.
There is only an exemption for scientific or historical usage and processing where it can be shown to be in the public interest, which would include medical studies to combat illness or disease.
10. Refusal of Automated Decisions
Lastly a data subject can refuse to having any decision based on automated processing of collected data. There are a few exemptions such as if you are required to perform checks before entering into, or performing, a contract. In this case the user must be explicitly informed of the reasons and consent to them. There may also be a right that is enshrined by law of the member state, however this contain safeguards to protect the user. Where the data subject has given explicit consent. Even if a person gives up their consent, or understands the reasons for a legal contract at all times the controller must try to protect their rights, freedom and to ensure their best legitimate interest.
Conclusion
The onus is on protecting the rights of the data subject. Ever with consent, caveats and exceptions there is an emphasis on ensuring the data subject is the focus for legitimacy and it is their best interests that are enshrined.
We will cover more on how you might go about ensuring these rights in the next article which will discuss how we store and manage data and how we set about deleting it. We might also present possible solutions when a conundrum presents itself.
[Don't forget that you can join in this conversation by using the comments form at the bottom of the page or by tweeting at @shadowcat_mdk]
Throughout I have used data subject, client or user to reflect the individual. I have used company, data processor or controller to reflect organisations that collect data. ↩
