The incoming GDPR will provide European citizens with enhanced rights over the use of personal data and the next part of the Safeonline GDPR blog will highlight why data subject rights will become one of the most difficult parts for GDPR compliance.
So what is a data subject? Well it is simply an individual residing in the EU.
There are four rights that are being introduced for data subjects; the right to object to profiling, the right of data portability, the right of erasure and right of rectification and restriction. While some of these are currently covered under the DPA and ICO guidance, the GDPR certainly takes these rights to a new level.
Under the GDPR, a data subject cannot be subject to a decision that is made based solely on profiling unless the decision is necessary for a contract, expressly authorised by law, or has the explicit consent of the data subject. The GDPR defines profiling as any form of automated processing of personal data to evaluate a personal aspect relating to a natural person, in particular analysing or predicting aspects concerning the natural person’s performance at work, economic situation, health, interests, reliability or location.
For example, this could be particularly challenging for technology companies that use geolocational monitoring on certain mobile apps. These businesses will have to update their privacy notices and conduct analysis on all profiling activities. If someone specifically does not want profiling on certain categories, the company will have to ensure that they comply with this form of profiling otherwise they will be in breach of the regulation.
Article 18 of the GDPR introduces a new right of data portability for data subjects. Upon request, a data controller must be able to provide the data subject with a copy of their personal data which must be provided in a readable manner and the data controller must not hinder this transmission. This right only applies where: data is processed automatically; consent was explicitly provided by the data subject; and where this processing fulfils a contract.
This should be a wakeup call for any company or data controller holding lots of legacy data. They will need to start gaining oversight over how much personal data is stored and put procedures in place; both to regulate how they respond to data subject requests to enact their data rights, and to ensure that clear audit trails are retained to evidence explicit consent.
Under the new regulations, data controllers must be able to delete personal data at the request of the data subject. However, there are a number of ways that data controllers will be able to keep personal data, such as on the basis of compelling legitimate grounds, but mostly companies will have to ensure that they are able to erase data when a data subject withdraws their consent.
Potentially, one of the industries that this change will materially affect will be the insurance industry, due to the nature and volume of data that the industry has been collecting for underwriting and claims purposes. Insurers and brokers will have to make sure that they develop robust retention policies, defining the legalities around why certain types of data is retained and for how long. Currently under FCA protocols, brokers are required to keep certain types of policy-related data for a number of years; how these protocols will be affected by data citizen’s rights under the UK’s implementation of the GDPR will be interesting to see.
Finally, a data subject rights under Article 15 have been enhanced. For example, the time period for dealing with subject access requests has been reduced from 40 days to one month. The enhancement also includes rectification if the data is inaccurate, and will also prevent processing of personal data in certain defined circumstances, which need to be outlined by the data controller. A crucial part of this enhancement is for advertising and marketing companies whereby data subjects can object to direct marketing.
The ICO in the UK have already made it clear that direct marketing companies, when a data subject has made it clear that they do not want to receive certain types of marketing, will be hit with heavy fines. To avoid these fines under the GDPR, companies should be developing progressive policies to take account of these enhancements and ensure that data controllers are able to comply under tight time conditions. Many businesses use direct marketing and rely on legacy data previously collected. So it will be no surprise if regulatory bodies like the ICO are quick to use these new requirements to make an example of companies who fail to comply and to hit them with hefty fines.