Part 2 – GDPR: A view from a data organisation

This is the second of two pieces based on the GDPR; the first, should be read first, and can be found here.

The Information Commissioners Office (ICO) has published a simple document twelve steps to take now. There is also the much more detailed Guide to the General Data Protection Regulations.

These two pieces are intended as a gentle introduction, and are not definitive. The Guide is.

Under GDPR, the data subject has rights.

There is a list of these rights:

• The right to be informed
• The right of access
• The right to rectification
• The right to erase
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling

Right to be Informed

This is probably the most difficult and demanding part of the entire GDPR. The right is slightly different according to how the data was obtained.

Personal data may have been obtained directly, by asking the data subject; filling in a form or whatever. Or, the data may have been obtained indirectly, by monitoring behaviour such as keystrokes, by combining other data sets (which may include public data), or by algorithms (perhaps using social media or the like).  In many cases there will be direct data and subsequently indirect data, such as where the user registers with a service and then the service monitors keystrokes, online product orders, or similar.

The right to be informed – via a ‘privacy notice’ – arises however the data was obtained, but is more onerous where the data was obtained indirectly.

In any case, it must be concise, transparent, intelligible and easily accessible; written in clear and plain language, particularly if addressed to a child; and free of charge.

The GDPR has a list of what must be included in the notice. There are two list items, required where the data was obtained indirectly, which needn’t be included where it was obtained directly. There is also the issue of when the subject must be notified. This is all discussed below.

If the data was obtained directly, the notification must include

1. The purpose of and lawful basis for the processing
2. How long the data will be retained (or how that is determined)
3. The data controller/processor’s identity (or their representative)
4. How to contact the data controller/processor/representative
5. Any third party (or category of third parties) who will receive the data
6. Details of any transfer to another country (and safeguards in the event of a transfer)
7. The existence of each of the data subject’s rights
8. The right to withdraw consent at any time (if it is relevant), and the right to object (see below)
9. Whether the provision of the data by the data subject is a statutory/contractual obligation

and if so the consequences of non-compliance with data provision

10. If relevant, the legitimate interests of the controller/any third party
11. The right to lodge a complaint with a supervisory authority (the ICO)

If the data was obtained indirectly (or partially so), the notification must also include

12. The categories of the personal data (remember, it wasn’t volunteered so they don’t know what it is)
13. The source of the data, and whether the source is publicly available

Note that item 9. above doesn’t apply to indirectly obtained data.

When must the data subject be notified?

If directly obtained, at the time the data was obtained. If indirectly obtained, notification is trickier, as the data subject may not know about the data at all.

If the data is to be used to contact the data subject, the notification must at the latest be when they are contacted. If the data is to be disclosed to a third party, before the disclosure. And in any event, notification must be within a reasonable time (which must be no more than one month).

You need something setting all this out – it needn’t be a single document – but you must be transparent about it, and the document needs to be accessible in every sense of the word.

You may need several different notification processes depending on circumstances. And a link to a notice is fine.

All of the above is difficult stuff to get your head round, but bear with it. Read it a few times. Think about the personal data you hold. What do you do with it and why? How long do you keep it?

Perhaps you’ve never considered it before, but when does it stop being useful for the purpose for which it was collected, in which case you need to delete it at that point. Or, you could permanently anonymise it, in which case it stops being personal data and the rules no longer apply. It is only anonymised if nobody, including you, don’t know and can’t find out to whom it relates.

For each category of personal data you hold, go through the, consider what you would have to say. And consider how you might say it. Make it brief and simple. The task isn’t as onerous as at first it appears.

Other Rights of the Data Subject

These are much simpler.

The Right of Access is essentially the data subject’s right to access the personal data. That means you need a simple system enabling them to do that.  It might be an ability to log in online, but it might simply require them to contact someone. You must be able to verify who they are, else you will have allowed a data breach.  You cannot charge a fee, except where the request is manifestly excessive, repetitive, or unfounded. And the information must be provided promptly, and at least within one month (extendible by a further two months if requests are complex or numerous). But for most SMEs that is easily doable. What you need is a documented, workable, process.

The Right of Rectification is the right to correct errors in the data. Again, you need a process, but again it is doable, much as with the Right of Access. But note, if you share the data with third parties you must notify them of the rectification if you can.

The Right to Erasure. Not a ‘right to be forgotten’, and not necessarily an absolute right.  In general, the data subject has a right to erasure of their data unless there is an overriding public interest in retaining it. And again, you make every effort to notify third parties who have received the data.

The Right to Restrict Processing. Effectively means you may keep the data but not make use of it. If the lawfulness of the processing or the accuracy of the data is contested processing should be stopped until the issue is resolved.

The Right to Data Portability. That is, the data subject has the right to a copy of the data (in usual machine-readable forms such as .csv) so that they can transfer it elsewhere. You may not charge for this, and the usual time-limits apply (see above).

The Right to Object. Regardless of anything else, the data subject has a right to object to processing for the purposes of direct marketing, or for the purposes of scientific, historical or statistical analysis/research. Their objection to the latter must be based upon ‘grounds relating to his or her personal situation’. The GDPR asserts that this right must be specifically brought to the attention of the data subject separately to their other rights, and at the first point of contact.  It also appears that public interest processing may allow you to override their objections. If the processing is entirely online, you will need to provide an online objection process. 

Rights in relation to Automated Decision-making/Profiling. These are operations whereby a decision affecting an individual is made by automated means, without any human involvement (decision-making), or alternatively where automated means are used to evaluate things about a person using personal data (profiling). Profiling will in many cases be a step in an automated decision-making process. The obvious example is credit-rating, but a wide range of much less obvious examples must also be included. Any kind of targeting of customers based upon previous purchase history would, if this was automated, be covered.

The first issue is whether the profiling/decision has significant legal effects upon the person concerned (such as refusal of a credit application or a job). If it does, it is only legitimate with the data subject’s explicit authority, or for the purpose of carrying out a contract, or where it is otherwise authorised by law (such as to enable fraud detection).

If it does have significant legal effects, this type of processing is seen as high-risk, and there is a list of further rights, and steps, the processor must take. In the first place, they must carry out an impact assessment.

If you do carry out automated decision-making/profiling, and it has significant legal effects, you need to read the guidance. You might want to read it in either case.