Context:
At the core of the GDPR is the intention to give control of personal data to the individual to who it relates. In order to do this the GDPR describes certain ‘rights’ that the data subject has in controlling their data.
The description of these rights within the GDPR is extensive. As an indication of scope and scale, the following sections and articles deal with rights:
- Chapter 3 – Rights of the data subject
- Section 1 – Transparency
- Article 12 – Transparency, plain language, separate, explicit
- Section 2 – Information & Access
- Article 13 & 14 – Provision of information to the data subject
- Article 15 – Access, purpose of processing, recipients,
- Section 3 – Rectification & Erasure
- Article 16 – Correction of data
- Article 17 – Right to be forgotten
- Article 18 – Restriction of processing
- Article 19 – Notification
- Article 20 – Portability
- Section 4 – Objection and Automated Decision Making
- Article 21 – Objection
- Article 22 – Automated decision making & profiling
- Section 1 – Transparency
Considerations:
Under the GDPR personal data is considered to be owned by the individual so keeping this in mind will help when deciding how to satisfy their rights.
The regulation seeks to give individuals the ability to control their own data and therefore you organisation should have the ability to allow the individual to do this and inform them of how it can be done.
A key point to note is that not only is your organisation responsible for ensuring these rights for the data it holds, it also has responsibilities for information that is held or passed to third parties with which it works.
How to:
Implement the following systems and process to support the rights of data subjects:
- Tell individuals about their rights. Do this in a clear, unambiguous way and make it available from the beginning of any interaction you have with the individual. It is reasonable to have these rights defined and explained within your website or other materials however burying this explanation deep within a privacy notice would not be clear or explicit enough.
- Have processes in place to support the rights of individuals. Be able to correct and delete data when requested and be able to give the data subject a copy of this data in a widely used format. (See Right of Access)
- If any complaints are received, be able to stop that processing while you investigate and keep the data subject informed of progress.
- Be able to remove an individuals personal data from all systems. This includes: CRM systems, Sales databases, Helpdesk systems, Backups, Information retained by cloud providers and their backups, any information passed to third parties, documents and spreadsheets, paper records and files etc etc. The possible locations of this data are quite extensive.
- Communicate internally so that everyone in your organisation understands the obligations relating to data subjects rights.
- Check which third party arrangements you have in place and ensure that they also recognise the rights of individuals
- Recognise that data subjects own their personal information
Common Scenarios:
A customer asks to leave your service
- Under the new regulation a customer could request that you erase all data relating to them. Your organisation would be obligated to remove each and every instance of records relating to that customer from all systems – including those systems of any partner or supplier organisations to whom the data may have been passed. There is a caveat here in that if there is other legislation in place such as financial, HR or national then the personal data could be retained for an extended period as defined under those other laws.
New customer enquiry
- When responding to an enquiry from a new customer you must at the time tell them about their rights in respect of their data. You must do this in a clear and unambiguous way. You should ensure that the rights are explained separately from each other.
References:
- GDPR Recitals: 19, 39, 42, 50, 58-61, 63, 65, 66-73, 75, 141-143
- GDPR Articles 12-22
