Their rights and your obligations under the GDPR
The General Data Protection Regulation (GDPR) provides individuals with certain rights when a business processes their personal data. Personal data includes information relating to natural persons who can be identified or who are identifiable, directly from the information in question or who can be indirectly identified from that information in combination with other information.
In addition to the obligations on businesses to process personal data in line with the GDPR principles of lawfulness, fairness and transparency, businesses must also be alive to the 8 rights contained in Articles 14 – 22 conferred on individuals. These include:
- the right to be informed about the collection and use of their personal data;
- the right of access to a copy of their personal data and other supplementary information;
- the right to rectification of inaccurate personal data;
- the right to erasure of personal data;
- the right to restrict processing of their personal data;
- the right to data portability for receipt and transmission of their personal data;
- the right to object to the processing of their personal data; and
- their rights in relation to automated decision making and profiling
What does my business need to know?
An individual can exercise their rights at any time and failure to act on a request or to provide the correct information, could prove to be costly for any business both financially and from a reputational stand point. In 2019 alone we have seen an enforcement notice served by the Information Commissioner’s Office (ICO) on a business for failure to respond in full to a Subject Access Request, a business fined £400,000 for sharing data unlawfully and another business £40,000 for sending spam emails, with each being published on the ICO’s website.
The action taken by the ICO earlier this year fell under the remit of the Data Protection Act 1998 (DPA 1998), which would have been in force at the time of the ICO’s investigation. The DPA 1998 carried a maximum financial penalty in civil cases of £500,000. With the introduction of the GDPR on 25 May 2018 came tougher sanctions for non-compliance. The ICO now has the power to impose a civil monetary penalty on a business of up to €20,000,000 (£17million) or 4% of global turnover for the most serious offences.
The right to be informed – your Privacy Notice
The right to be informed goes to the heart of the transparency requirement under the GDPR. When a business starts to deal with an individual’s personal data, it must inform the individual of the purpose for which their personal data is being collected, how long it will be retained for and who it will be shared with.
Commonly this is achieved (in addition to other supporting documentation) by way of a privacy notice which should be made readily available to an individual either in hard copy of electronic format. A privacy notice will need to be tailored to a business’s particular data processing activities if it is going to comply with this right.
Subject Access Requests – are you prepared?
An individual has the right to obtain a copy of the personal data a business holds about them as well as supplementary information. This is commonly known as “the right of access” and an individual will exercise this right by making a Subject Access Request (SAR). Businesses should have a clear procedure in place in order to deal appropriately with SARs when received. If they do not deal with SARs appropriately, they will be in breach of the GDPR and risk an individual looking to the ICO for redress, such as in the case of SCL Elections.
SCL Elections (also known as Cambridge Analytica) were fined £15,000 in January 2019 for failing to comply with an enforcement notice issued by the ICO. SCL Elections had failed to fully respond to a SAR within the statutory time period provided and following a complaint to the ICO by the individual concerned, were investigated.
The ICO served an enforcement notice on SCL Elections providing them a further 30 days in which to respond appropriately to the SAR. When they failed to comply with the enforcement notice, the ICO took the decision to prosecute. SCL Elections appeared at Hendon Magistrates’ Court where they pleaded guilty. They were fined £15,000 and ordered to pay £6,000 in costs and a £170 victim surcharge.
The right to rectification and erasure
The right to rectification provides an individual with the right to request that a business corrects their inaccurate personal data, but also to complete it if it is incomplete. The right to erasure concerns an individual’s right to have their personal data erased, more commonly known as “the right to be forgotten”.
The right to restrict processing
In certain circumstances, an individual can exercise their right to restrict processing, meaning an individual can limit the way a business uses their personal data. The right to restrict processing can be used by an individual as an alternative to a request of erasure. It can also come into play along side the right to rectification and on raising an objection to processing.
Examples of when an individual might exercise their right to restrict is when a request of rectification has been made and a business is in the process of reviewing that personal data. It can also apply if the individual has objected to a business processing their personal data. In both of these circumstances, the individual has the right to request the processing of their personal data is restricted whilst a business fully investigates the request. It would therefore be wise for a business to automatically restrict their processing of the individual’s personal data, following a request for rectification or on receipt of an objection.
The right to data portability allows an individual to request that a business provides their personal data directly to another business. It also provides that an individual should receive their personal data collected by a business in a structured, commonly used and machine readable format.
This particular right only applies in very limited circumstances and will only apply to the personal data that individual has provided to the business. If a business has the ability to transport the personal data to another business, then the business which received the request is not responsible for what that receiving business then choses to do with that personal data. However a business transmitting personal data on the request of an individual is responsible for that data whilst in transit. It must take appropriate steps to ensure the personal data is transferred securely and to the correct recipient.
Should the personal data not be sent to the correct recipient then a data breach will have occurred. A business may then find itself in the position of having to report to the ICO and notify the individual of the breach.
An individual is able to object to the processing of their personal data by a business. A business must inform an individual of their right to object, often this will appear in a business’s privacy notice.
It is important to note that there is an absolute right for an individual to object to or “opt out” of their personal data being used for direct marketing purposes. If a business is advised by an individual that they no longer wish their personal data to be used for marketing purposes, they should add the individual to a “do not contact” list. The individual’s personal data should not be deleted to ensure that they do not migrate back onto the contact list at a later date. The individual should also be informed that their personal data will be retained on the “do not contact” list for this reason.
Automated decision making and profiling
The GDPR contains provisions regarding automated decision making and profiling of individuals. An automated decision is one made solely by automated means without human involvement. Profiling is the automated processing of personal data to evaluate certain things about an individual and can also be part of an automated decision-making process.
What to consider on receipt of a request
There is no specified format in which any of the requests set out above need to be made. Further, these requests can be made in writing or verbally. For requests made verbally, a policy should be in place to govern how a business will record these requests.
Training should be provided to staff so they are equipped to identify and deal appropriately with any request a business may receive.
Once a valid request has been made, a business must respond without undue delay but in any event within one calendar month of receiving the request. In certain circumstances this can be extended by a further two months resulting in a maximum of three months in total, however a business must advise the individual of the reasons for extending within the fist calendar month.
How we can help
At Trethowans, our team of Regulatory Solicitors are experienced in both reactive and proactive advice when dealing with individual’s rights.
Proactively, our Regulatory Team are able to assist in drafting tailor made privacy notices, policies and ensuring that a business has appropriate procedures in place ahead of receiving any requests. They are also able to provide effective training to businesses to ensure they remain GDPR compliant.
Reactively, our Regulatory Solicitors can advise businesses on how to deal with requests on receipt (such as a SAR) and advise on individual’s rights generally.
Contact our specialist Regulatory Lawyers today to ensure your business is GDPR compliant on 0800 2800 421 or submit an online enquiry form and a member of the team will get back to you as soon as possible.