GDPR Top Ten #5: New Data Subject Rights
A new perspective on privacy rights that may impact your organisation
The GDPR imposes new requirements for your organisation regarding data subject rights. What are these requirements and how can your organisation respond?
Author: Sebastian le Cat
New perspective on existing rights
The General Data Protection Regulation (GDPR) will replace the current Data Protection Directive (95/46/EC) in 2018 and incorporate new rights and protections for data subjects. Rights such as the right to be forgotten and the right to data portability bring a new perspective on existing rights and may include new obligations for your organisation. This blog explains how the new requirements may affect your organisation.
The right to access, rectification, objection, restriction and notice
Before you can start processing personal data, you should provide information to the individuals whose information you will be processing. Under the GDPR, it should be possible for individuals to access their personal data upon request. Furthermore, the purpose of processing, categories of personal data, recipients of the data and a copy of the collected personal data should be available. When data about an individual is inaccurate or incomplete, individuals have the right to request a rectification. If the incorrect data is transmitted to third parties, your organisation is also required to inform these parties about the incorrect data, unless this requires a disproportionate effort. Your organisation is required to respond to all requests within one month, which could be extended by two additional months depending on the complexity of the request. Data subjects also have the right to object. If a person objects to data processing activities, your organisation has to end such activities. If you really need to continue processing, you must be able to prove that you have compelling legitimate grounds that override the interests, rights and freedoms of the data subject.
The right to be forgotten
The right to be forgotten (in the GDPR also described as the right to erasure) has been talked about a lot, and there have been many misunderstandings about its application. It requires your organisation to erase the personal data of a person within one month if:
- Personal data are no longer necessary for the initial purpose
- The data subject withdraws consent
- The data subject objects to the processing
- Data is unlawfully processed
If one or more of these grounds apply you must take reasonable steps to erase the personal data. This includes requesting third parties to remove such data as well. If your organisation has made the personal data public, you should also inform other parties who process the personal data. However, the right to be forgotten is not absolute. A request for deletion can be denied, for instance in case the right of freedom of expression and information prevails or if the processing is in the public interest.
The right to data portability
New in the GDPR is the right to data portability. The right to data portability creates the possibility for data subjects to obtain and reuse their personal data across different services. The data subject is entitled to request a copy of their data in a structured, commonly used and machine-readable format. The data subject can then transmit their data to another controller of their choice.
The implementation of data portability in your organisation can be divided into different stages. First of all you need to adjust your systems to facilitate a data portability request. The system must be able to provide the option to access, erase, restrict and adjust the data.
Secondly, you need to implement a structured process to fulfil the request smoothly. To respond within the given timeframe, it is important to communicate between different departments such as Legal, IT and Communication.
Data portability is not an absolute right, and a determination must be made with regard to legitimacy of the request: it should for instance be weighed against the rights of others. The processing must also be based on the user’s consent or a contract, otherwise the right to data portability does not apply and your organisation is not required to fulfil the request.
The new right to data portability imposes fairly invasive obligations for your organisation. If you are able to implement the right to data portability you will likely cover many data subject’s rights in general. This also goes the other way: if you already have processes in place to fulfil erasure, access and restriction requests you may be just a few steps away of full compliance with the right to data portability.
A good idea formalised
What enforcement methods are at the disposal of the DPA to ensure compliance?