Continuing the GDPR series of posts, let’s examine what those individual data rights are.
You can summarize them with these words:
- The right of consent
- The right to access the data
- The right to change data
- The right to complain
- The right to erasure
- The right to portability
I’ll pick them off one by one, but remember that it is not a fine-detail description of the legal niceties — if you want that, follow the links. This article just explains each.
The Right of Consent (link)
Under GDPR, organizations cannot store an EU citizen’s data unless they give their unambiguous consent. There are some exclusions (see the Right to Erasure, later in this article) The precise words used in the regulations are: “freely given, specific, informed and unambiguous.” Consent is not given if the organization requesting the data does not ask for it, or displays pre-ticked boxes that indicate consent. Those who haven’t explicitly opted in opt-in, have opted out. No matter what data they provided, the organization has no right to store it.
To make matters more awkward, consent must be given for each process applied to the data. So perhaps XZY Company stored my data so it could process my orders. That’s fine, but it cannot aggregate that data with other people’s data and start analyzing it unless I also agree to that. So it behooves companies to get all the permissions all at once.
GDPR also restricts the automated processing of personal data to analyze or predict an individual’s behavior. Specifically, the regulations restrict this activity if it will have a significant impact on an individual, such as in a hiring or credit decision. Many companies will have to adjust their business models around such restrictions.
And if you are hoping there’s a loophole for data already stored, there isn’t. If you never got permission, you now have to get it, both for storing the data and processing it.
The Right to Access the Data (link)
This is more complex and far-reaching than the word “access” implies. First of all, the EU citizen has the right to ask whether an organization is holding and processing his or her data, whether they have had any interaction with them or not. Having discovered that this is the case, they have the same rights as if they had volunteered the information. They then have the following rights, as well as all the other rights described in this article:
- Ability to access the data.
- To know what data is held, and where it came from.
- To know the purposes of the processing done on it.
- To whom the data has been disclosed, including recipients in other countries or international organizations. If that is done, all the data rights have to be enforceable at the destination. (see this)
- The time period the data will be stored, or if impossible to state precisely, the criteria used to determine that period.
Beyond that, individuals have the right to know of the existence of automated decision-making on their data, including profiling, and “meaningful information about the logic involved,” as well as the significance and the consequences of such processing for the data subject. Or, to put it simply, if you are analyzing their data, you have to tell them exactly how and what the consequences will be for them.
The Right to Change Data (link)
The right to change data enables the individual to request that data, if incorrect, be corrected. Additionally, companies will have to notify them of everyone to whom their data has been disclosed so they can get that copy of the data updated. Failure to comply with their request requires a company to explain the reason for not doing so, and it has an obligation to inform the user of their right to complain.
This could, of course, become complicated. The problem is dirty data. Nowadays, there is a considerable amount of dirty data, for a variety of reasons, including data entry errors by the data owner. The problem is that incorrect data may have negative consequences for the data owner, for example, if it is part of a credit report.
The Right to Complain (link)
So, to whom will they complain? Individuals have the right to complain to a supervisory authority; there is at least one such authority in every EU country. The situation will thus be a little difficult if your company hasn’t yet registered with an authority. For more information on that see this previous article. The authority will provide guidance on what needs to happen. Their word will probably be final.
The Right to Portability (link)
Individuals have the right to request all personal data about them from an organization company holding their data. This must be transferred to them in a “machine-readable” format — so a CSV file will do. For the EU citizen, this could be very useful if they wish to build a database of personal information. Just get all of it from every company or government department you gave it to. Nice!
The Right to Erasure (link)
The “right to erasure” has also been referred to as the “right to be forgotten.” This means that EU citizens can request the complete deletion of their data. The data must be deleted without “undue delay.” So, my advice to EU citizens: If you want the data deleted, first go and collect it and put it into a personal database, then request deletion. However, there are exceptions you need to know about. You will not be able to get data deleted in the following situations:
- Legal compliance. For example, banks in most jurisdictions are obliged to keep data for seven years, so your personal data will not be erased. Also, if you have a criminal record, don’t expect to get that expunged.
- If there is a “public interest.” For example in the area of public health, data archiving in respect of scientific, historical research or public interest or data supporting legal claims.
- GDPR does not apply to paper data and microfiche data, only digital information. Neither does it apply to technically impossible situations, such as when your data is held in a back-up file, but in that circumstance, no processing of your data is allowed. If it is restored, it must be deleted.
If a company makes your data public, and you wish “to be forgotten,” it is obligated to take reasonable steps to get other processors to erase the data. For example, when a website publishes an untrue story about an individual and later is required to erase it, it must request other websites that have republished the story to erase their copy of the story.
Of course, this only applies when it doesn’t conflict with freedom of expression laws. In short, you can’t suppress legitimate press.
A final note, US companies that are affected by GDPR are advised to consult with their insurance brokers to determine the impact of the regulations on their insurance programs. They need to discuss the coverage of GDPR violations and the logistics of insurance policies to pay into GDPR-regulated countries.