It's been almost 6 months since the sweeping changes of the Data Protection Act 2018 & GDPR came into effect. Did you know that GDPR grants 8 rights to individuals over their data? This is the source of many of the enlarged data protection obligations under the GDPR. Some of these rights are new. Others are expanded. What is important to understand as DPO is that these 8 rights should remain foremost in your mind when making recommendations for data compliance. Let's take a quick look:
#1 The Right to be Informed [Article 12,13,14]
Prior to the collection of data, individuals have to be informed as to how it will be collected, processed and for what purpose. This creates a default expectation for opt-in data collection policies.
What to Do: Create easy-to-read policies that explicitly detail what information is being stored and why. Make sure that all data collection processes prioritise informing individuals over collecting data, and that the use of data conforms to the explicitly communicated criteria.
#2 The Right to Access [Article 12, 15]
Once data has been collected, individuals have the right to know what data exists and the ongoing purposes for which that data is being used.
What to Do: You need to develop and deploy processes and technology capable of tracking all of the data in your system. You need to be able to vet the legitimacy of requests, and deliver information upon request. It is advisable that you construct an automated system capable of carrying out most of these tasks. These baseline capabilities will help you comply with the requirements of many of the other rights detailed below.
#3 The Right to Correction (Rectification) [Article 12, 16]
Individuals have the right to correct incomplete or incorrect data.
What to Do: Use the same system deployed to provide the Right to Access to vet requests, correct data and confirm the correction.
#4 The Right to Erasure (Right to Be Forgotten) [Article 12, 17]
Individuals have the right to have personal data permanently deleted.
What to Do: Again, you need the ability to track all of the personal data in your system, vet requests, and confirm erasure. Additionally, you need the ability to actually delete data. This includes the ability to track down third parties that were granted permission to access that data and ensure its complete deletion. This Right specifically cements the necessity to keep track of all data that enters your system. Losing track of data is not an excuse for not deleting it upon request. There is an implied responsibility in this Right to automatically erase data that is no longer required.
#5 The Right to Restriction of Processing [Article 12, 18]
Individuals have the right to block or suppress personal data regarding specific aspects of its use.
What to Do: This, again, comes down to the ability to track all data relating to specific individuals and vet requests. This additionally requires the ability to pause the processing of particular pieces of data and flexibly apply your processing operations. This ability to selectively process discrete segments of data is something you should build from the ground up in to any new data project.
#6 The Right to Data Portability [Article 12, 20]
Individuals have the right to move, copy or transfer personal data from one ‘controller’ to another — safely and securely. This has to be undertaken directly between the two controllers wherever technically possible, without burdening the individual beyond their initial request.
What to Do: In addition to having the technical capabilities to track down data and vet requests, your data needs to be stored in such a way that it can be safely transferred to a third-party without being deleted.
#7 The Right to Object to Processing [Article 12, 21]
Individuals have the right to object to the processing of their data without explicit consent. This Right simply reinforces the Right to Restriction of Processing and expands it to the complete cessation of processing without deletion. This Right is generally interpreted as the solidification of the right of individuals to object to third-parties gaining access to their data.
What to Do: The ability to comply with the Right to Erasure and Restriction (detailed above) will allow you to undertake the tasks necessitated by this statute. Simply stop processing data if an individual makes a request.
#8 The Right to Not Be Subject to Automated Decision Making [Article 12, 22]
Individuals cannot be forced to have decisions made about them solely by algorithms and have the right to demand human intervention.
What to Do: This requires you to inform people that they will be subject to algorithmic decisioning, and that they can opt out. Ironically, compliance with this rule is most easily achieved by using automated decisioning to vet requests and then package all of the relevant information in such a way that it can be easily passed to a human decision-maker. No matter how it is achieved, what this Right requires is setting up a fall-back system that provides individuals with access to human decision-makers for every aspect of your organisation's decision making process.