When it comes to the new General Data Protection Regulation (GDPR), there is lots for marketers to take on board. Previously, we investigated some of the finer points around personal data and customer consent. Here, we look at some of the procedures covering the rights 'data subjects' (customers) have.
While the rights of data subjects are generally the same as what we currently have, now is a good time to assess whether your organisation needs to change its procedures in order to conform to these updated regulations
1. What are the guidelines relating to policies and transparency?
As a 'data controller', your policy relating to the processing of personal data needs to be transparent and easily accessible, presented using clear and plain language. The policy also needs to include information about how a customer can exercise their individual rights.
2. What information needs to be provided within the policy?
You must supply a customer with at least the following information:
- The identity and contact details of the data controllers
- The purpose of processing the personal data and your intentions for it
- How long the personal data will be stored for
- The rights to request personal data, erase it or object to its collection
- The contact details for a regulatory authority in the event of a complaint
- Who the recipients of the personal data are
- If there are intentions to transfer your personal details to countries outside the EU and what level of data protection safeguards are offered
- Whether supplying personal data is obligatory or voluntary, along with any consequences for failing to provide it
- If the personal data is not collected from the customers themselves, then you must state where it originates from
3. What are the regulations relating to data subject access requests?
Anyone whose data you collect has the right to make a data subject access request (SAR) and you are required to facilitate these requests.
Currently, you are obliged to provide the information within 40 days. Under the new regulations, a SAR needs to be processed within a month of the request, although this deadline can be extended another month in instances where there have been a large volume of requests.
The information needs to be supplied in writing, or in electronic form when the request has been made electronically (unless requested in writing)
4. Can an organisation charge for a SAR?
Currently the fee is £10 to process a SAR (£50 for health records). Under new rules, access to their personal data is to be provided free of charge. However, when requests are “manifestly excessive”, you may charge a fee for providing the action or taking the action requested.
5. What information needs to be included within an access request?
Along with the purposes of the processing, and the categories of personal data that have been collected, you must also supply the following information:
- The recipients of the personal data, including those outside the EU
- How long the data will be stored
- The right to request rectification or erasure of personal data
- The right to object to processing
- The ability to complain to the supervisory authority
- Knowledge of personal data still undergoing processing, along with its significance and consequences
6. What rights do individuals have to amend their personal data?
Customers have the right to make changes to the personal data that you have collected about them in the following ways:
- The right to rectification: to correct personal data about them that is inaccurate, and request the completion of incomplete data.
- The right to be forgotten and erasure: for personal data to be removed when:
- The data is no longer necessary (in relation to the purpose they were collected or processed)
- The data was collected unlawfully or other does not comply to the Regulations
- The storage period for holding the data has expired
- The customer objects to the personal data being processed
- The data was collected when the customer was a child
- The right to data portability: this is a new addition to the regulations and critics fear that it could lead to disproportionate compliance costs. It requires organisations to hand over personal data to a customer in a usable, transferable format for further use by the data subject. For example, if an individual wishes to switch between service providers.
7. Are there instances when the personal data does not have to be amended or erased?
There are a few exceptions that can justify the retention of personal data, such as:
- Exercising the right of freedom of expression (the processing of personal data carried out for journalistic purposes or the purpose of artistic or literary expression)
- Reasons of public interest in the area of public health (such as cross-border health threats)
- For historical, statistical and scientific research purposes
- For compliance with a legal obligation to a Union or Member State law
Rather than erasure, you can restrict processing of personal data where:
- The data’s accuracy is contested by the customer until you can verify it
- The personal data needs to be retained for purposes of proof
- When the customer requests restriction rather than erasure
- When the customer requests to transmit the personal data into another automated processing system
Sorting your procedures and policies now will make the transition to GDPR easier in 2018. In particular, establishing how your organisation will process a potential influx of data subject access requests within the new one month limit.
The General Data Protection Regulation
A Practical Guide for Businesses
This White Paper, created by data protection specialists Opt-4, provides a thorough look at how GDPR will change existing laws, and offers suggestions for what you can do now to prepare for GDPR.
This White Paper also covers:
- The global scope of GDPR
- How GDPR will change consent, processing and profiling
- The new rights for data subject
- Guidelines for Data Protection Officers
- Liabilities, penalties and enforcements