Brew another pot of coffee, it’s time to once again delve into the dauntingly complicated world of the upcoming General Data Protection Regulations. For those of you stumbling upon this article without having seen the first, check it out here and get caught up. We’ll wait. For those of you joining us after finishing part 1, welcome back! Hopefully your chair isn’t too damp from excitement-related sweat.
In this second iteration of our GDPR compliance guide, we will cover how the definition of individual’s privacy rights are being updated. There are plenty of new privacy rights, as well as those that are being strengthened from the DPA, so let’s get started.
New Individual Privacy Rights
The GDPR is all about ensuring the rights of individuals are protected on the wild west we call the internet. More often than not, the breaches in these rights come from negligence rather than malice. Be mindful of your current data collection processes (which you should have mapped out) so you can avoid breaching the GDPR.
Some of the following privacy rights are new and some are just improved versions of rights from the Data Protection Act (DPA) of 1998, but all of them must be accounted for.
The Right to Be Informed
This essentially applies to what you put forth in your privacy notices whenever you are given permission to process information. It’s an effort to keep you completely transparent regarding what you’ll be doing with an individual’s personal data.
Most of the current obligations for your privacy statement under the DPA still apply. However, there are a few more things the GDPR requires you to add, especially if you are getting the data directly from the data’s owner.
To figure out exactly what needs to be included, please consult the chart below:
The Right of Access
In another attempt to make data processing more transparent, this provision gives people the right to obtain the following from you:
- Confirmation their data is being processed
- Access to their personal data
- Supplementary information, the majority of which can be found in your privacy notice
You can no longer charge a fee for this information, unlike the stipulations under the DPA. You must provide the information within one month and completely free of charge, unless the request is verifiably excessive or repetitive, in which case you can charge a reasonable fee.
The Right to Rectification
This right deals exclusively with an individual’s right to correct inaccurate information. This seems like the most straightforward data privacy right so far, but the hard part comes if and when you send that information to any third parties. If so, the burden is on you to reach out to those third parties and ensure the inaccurate information is properly rectified.
Just like the right of access, you are required to respond to the request within one month (three if the request for rectification is particularly complex).
Find out more: Right to rectification
The Right to Erasure
The right to erasure, or the right to be forgotten, is one of the more well-known rules associated with data protection legislation. It stipulates that an individual can request for their information to be deleted or removed from a business entity’s data records when there is no reason why it should still be in processing.
Despite popular belief, this rule doesn’t give people the absolute “right to be forgotten”, but rather only in the following specific circumstances:
- When the personal data is no longer necessary for the purpose it was collected
- When the data’s owner withdraws consent
- When the data’s owner objects to its process and there isn’t an otherwise legitimate reason to continue
- The personal data was processed illegally
- The personal data is of use to social services relating to a child.
The GDPR gets rid of the threshold established by the DPA in which the right to erasure could only be enforced if the processing data caused damage or distress. You only need to qualify for one of the above to exercise your right to be forgotten, but if it is causing you damage or distress, you will certainly make a stronger case for erasure.
The only times you can refuse to comply with a request for erasure is under the following conditions:
- To exercise the right of freedom of expression and information
- When it’s a matter of legal obligation to perform a public interest or official authority task
- For the purpose of public health in the public’s interest
- In the defense of legal claims
- Archiving for the purposes of public interest, scientific, historical or statistical research
If you are made to erase data due to this right, you are required to inform any third parties you shared the information with, unless it is impossible or involves disproportionate effort to do so.
Find out more: EU Data Protection (EUDATAP) Article 17
The Right to Restrict Processing
The right to restrict processing was originally part of the DPA as the right to halt the processing of personal data, and it hasn’t changed substantially under the GDPR. When someone exercises their right to restrict you are still allowed to store the data but you can no longer process it.
You are obligated to restrict processing personal data under the following circumstances:
- When someone questions the accuracy of their personal information you should stop processing it until you can verify its accuracy
- When someone has objected to the processing of their information and your company is deciding on whether they have legal authority to refute the individual’s objection
- When the data is being processed illegal and the owner of the data requests restriction as opposed to erasure
- If you are done processing the data and the data owner needs it to exercise or defend a legal claim
Find out more: Right to restriction of processing
The Right to Data Portability
Data portability means that individuals have the right to collect and reuse their personal data in whatever capacity they see fit. They can transfer or copy their data from one digital environment to another without having to worry about security risks.
This right only applies to the following types of data:
- Personal data someone has provided to a controller
- If the data being processed is based on the individual’s consent or for the carrying out of a contract
- Data processed through automatic means
In order to comply with this right, you must provide the personal data you process in a commonly used and machine readable format, such as a CSV file, all free of charge. If someone requests a data transfer, and if it is technically feasible, you are required to transfer that data to the organization specified. You have a period of one month to comply with all portability requests.
Find out more: Article 29 Data Protection Working Party
The Right to Object
The final data privacy right under the GDPR covers the types of data operations individuals can flat-out object to. Individuals have the right to object to any of the following:
- Processing based on legitimate interests or the performance of a task in the public interest (including profiling)
- Any form of direct marketing
- Processing for scientific or historical research/statistics
From a digital marketers perspective, the second bullet is the most important to consider. Essentially, this applies to opting out of direct marketing. If you’re processing data for the purpose of direct marketing and it is officially objected to, you are required to stop immediately. There are no exceptions to this rule.
These requirements are similar to those under the DPA, so chances are there won’t be much to update.
Find out more: Rights to object
For more information about everything GDPR, check out these articles:
- Achieving GDPR Compliance | Part 1
- How Does the General Data Protection Regulation Affect Your Marketing
- The Impending Brexit Data Dilemma