A suggested easy approach to understanding GDPR is to consider it in these three parts:
Part one – Accountability (you can read it here)
Part two – Putting the data subject at the heart of compliance
Part three – Tightening the security net
This article focuses on…
Part two – Putting your data subject at the heart of compliance
GDPR seeks to rebalance the rights of individuals when dealing with large organisations that want to collect and use their personal data. It is based on the understanding that our personal data belongs to us, we effectively licence organisations to use it as necessary to provide services at our request. So subject rights have been strengthened in GDPR.
Changes to the right of subject access
We are familiar with the right of subject access, it remains under GDPR but in an amended form:
- it will no longer be possible to charge even a small fee to respond to a request
- there is only one calendar month in which to respond to requests
- there are additional information requirements, information to be provided as part of the response to the access request
- critically, if a subject access request is made by electronic means, email for example, then the response must be made electronically rather than on paper.
A new right to data portability
One of the new rights under GDPR is a right to data portability. This requires controllers of data to be prepared to give data subjects a version of their personal data in a format compatible with other platforms so that their personal data can be switched from one service provider to another easily. The recitals in GDPR explain that this is to facilitate switching between service providers.
A new right to be forgotten
Another new right under GDPR is the right to be forgotten. Unless there is a compelling reason to retain the personal data, it must be deleted at the request of the data subject. Even when there is a compelling reason to retain the data, it might be necessary to restrict its use until such time as it may be deleted safely.
Restriction of data processing
This right works with the right to be forgotten or independently to give the data subject control over his or her data while a challenge to its accuracy, or the right of the organisation to process it, is made and determined.
More information to be included in Privacy Notices
Information to be provided to data subjects is reclassified as a right under GDPR. The mandatory content of a Privacy Notice is extended to cover an explanation of subject rights, details of how long the organisation intends to retain the data, information about the grounds for fair processing on which the organisation relies when processing the data and details of any transfers of the data outside of the EEA with a description of the relevant safeguards for that transfer.
Privacy notices are always a key part of data protection compliance as they form the authority to process personal data and circumscribe that authority. They are also accessible as part of the public face of the organisation, being published on websites and in other materials.
New standard for “consent”
Consent of the data subject has probably been too central to many processing operations in the past. There has been no acknowledgement that the data subject is often not in the best position to make the decision whether to allow the processing or not. Data subjects have been typically ill- informed about the risk, possibly under a degree of duress from the data controller or tricked into agreement when opt out boxes are used or prechecked opt in boxes used in a way that is not designed to facilitate positive consent. GDPR addresses these issues by clarifying what is meant by consent, that it has to be informed and specific, unambiguous and a positive indication. The following cannot be construed as consent:
- a term in a contract
- pre-ticked boxes
- general statements as to processing purposes, these must be specific
- compulsory consent as part of a service
New rules when processing data relating to children
Children are given greater protection by requiring processes to determine the age of young data subjects and then to obtain the approval of an adult to establish consent. The right of erasure (right to be forgotten) also applies specifically to subjects who published personal data to a website when they were under the age of 18.
GDPR allows for class actions to enforce subject rights.
Empowerment of data subjects is key to GDPR and the right to compensation means that organisations will be penalised and individuals encouraged to enforce compliance. The effect of social media campaigns targeting specific organisations or platforms to share data protection concerns among data subjects should not be underestimated.
A suggested approach
Adopt policies and procedures to respond to the exercise of subject rights. Appoint one or more persons responsible for ensuring that the exercise of subject rights is managed end to end.
Train staff to recognise when subject rights are being exercised and provide template acknowledgement notices for them to use.
We advise clients to plan for managing the exercise of subject rights if, for example one request for access was received, also if ten requests were received in the same week and if 100 were received in one week. The strategy for dealing with these three situations is different and raises different concerns which are best addressed before the situation arises for real.