GDPR – Control of Data
GDPR PRACTICAL COMPLIANCE
WHAT INDIVIDUALS’ RIGHTS TO CONTROL DATA MEANS TO YOUR BUSINESS
ERASURE, RESTRICTION AND OBJECTION TO DATA PROCESSING
In the biggest change to data protection since 1998 GDPR aims to offer those within the EU greater control over their personal data – that is any data which can identify the individual in accordance with the new and much broader definition of such data. This brings with it increased personal data rights for individuals (data subjects) which organisations controlling and/or processing data must facilitate.
There are 3 GDPR rights which are currently causing data controllers and processors some practical compliance concerns and those are the individual’s rights to
- be forgotten (Article 17 of GDPR)
- restrict processing (Article 18)
- object to processing (Article 21)
Let’s start by examining each of these rights.
What does the right to be forgotten mean?
Individuals exercising this right can ask for their personal data to be deleted if there is not a “compelling reason” for its continued processing. It doesn’t actually mean that the individual can demand that their personal data can be completely erased but rather that their personal data is not processed where specific circumstances apply, including the following:
- the personal data is no longer necessary in relation to the purposes for which it was originally collected or processed
- the individual withdraws their consent (if the basis for the legality of the processing was consent)
- the individual objects to the processing and there are no “overriding legitimate grounds for the processing”
- the personal data has been unlawfully processed
- compliance with a legal obligation means that the personal data has to be erased
- the data has been collected in relation to the “offer of information society services” to a child
What does the right to restrict processing data mean?
This right enables an individual to control how an organisation can use their personal data where any one of the following occur
- that individual is contesting the accuracy of their personal data which means that the use (processing) is restricted for sufficient time to enable the organisation to verify the accuracy of that personal data
- the processing is unlawful and the individual doesn’t want their personal data erased and, instead, requests the restriction of its use
- the organisation no longer needs the personal data themselves
- the organisation (controller or processor) don’t actually need to use (process) the personal data, but the individual needs that data for the establishment, exercise or defence of legal claims and so wants the use (processing) restricted whilst the data itself could be made available to that individual
- the individual has objected to processing where it was necessary for the performance of a public interest task or purpose of legitimate interests (pursuant to Article 21(1)) and the use (processing) is restricted whilst the organisation verifies whether their legitimate grounds override those of the individual
It means that an organisation can
- still store the data and retain sufficient (just enough) information about the individual to ensure that the relevant restriction is respected in future
- but not further process it.
What does the right to object mean?
The GDPR Article 21 right to object applies in 3 circumstances
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling)
- direct marketing (including profiling)
- processing for purposes of scientific/historical research and statistics
(1) Legitimate interests
Organisations must stop processing the personal data unless:
- they can “demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual” or
- the processing is for the “establishment, exercise or defence of legal claims”
(2) Direct marketing purposes
- deal with an objection to processing for direct marketing and
- stop processing personal data for direct marketing purposes as soon as an objection is received – there are no exemptions or grounds to refuse
(3) If personal data is processed for research purposes
Individuals must have “grounds relating to his or her particular situation” in order to exercise their right to object to processing for research purposes.
However, where the organisation is conducting research where the processing of personal data is necessary for the performance of a public interest task, it is NOT required to comply with an objection to the processing.
Practical issues for compliance?
Recital 59 of GDPR makes it clear that organisations need systems in place to facilitate individuals exercising their rights and from a practical standpoint these will need to be both capable of fast action, efficient and cost-effective. For example
(1) In some circumstances, the right to object requires the organisation to stop processing personal data for direct marketing purposes as soon as an objection is received.
(2) Responses to requests from individuals regarding the right to be forgotten or restrict processing
- have to be “without undue delay” (within 1 month). Although there is a possibility that they can refuse provided they comply with the criteria (such as the fact that the data is required to establish or defend a legal claim) the organisation must still notify the individual about this “without undue delay”
- Moreover, if that data has been disclosed to third parties, then the organisation has to inform the other parties involved, unless
- it is impossible or
- involves disproportionate effort to do so
This will of course depend on the individual circumstances and guidance from the supervisory body (ICO).
(3) Organisations can’t make a charge to facilitate individuals in the exercise of their rights. Even the £10 charge in relation to Subject Access Reports (when an individual wants to know what information is held about them) has been abolished with charging fees only possible in limited circumstances (such as requests which are “manifestly unfounded”)
Will there be clear guidance about facilitating rights?
At the moment the UK’s data protection bill is passing through parliament and Lord Storey has said that “terminology needs to be clearly defined, not left open to later judicial interpretation”. So we may have clarification as to what constitutes “disproportionate effort” or it may be left to the data controller themselves to determine.