The enhanced rights of individuals in relation to their personal data under the GDPR have been the subject of much fanfare. The GDPR sets out a number of rights for individuals, which include a right to obtain rectification of inaccurate data (‘right of rectification’), to restrict the processing of personal data (‘right of restriction’), to object to their data being processed (‘right of objection’), to have their personal data deleted (‘right of erasure’), to request access to the personal data held about them (‘right of access’) and to obtain a copy of their personal data in an electronic form and to have that transmitted to another organisation (‘right to data portability’).
Whilst it is true that the GDPR makes it easier for individuals to exercise these rights, they are in the main enhanced versions of the rights which already exist under the Data Protection Act. It is only the right to data portability which is brand new. However, the increased publicity around these rights and the fact that generally there is no ability to charge a fee for exercising these rights may well result in an increase in the number of requests an organisation may receive.
The real challenge for controllers when it comes to these rights is:
- determining which right or rights an individual is seeking to exercise;
- determining whether the specific conditions relating to that right are satisfied (for example the right to object to processing, other than in relation to direct marketing, only exists where processing is carried out on the legal bases of legitimate interests, or in the case of public authorities, on the basis of performance of a task in the public interests); and
- being able to manipulate the individual’s personal data in order to comply with the right in question (for example being able to put personal data out of use in response to a request for restriction).
On that basis, our task this month is to consider how you will manage the rights of individuals in relation to their personal data.
Individuals can make a request to exercise any of these rights in person, by telephone, in writing or via social media. Staff who may receive such requests will need to be aware of the existence of these rights, to enable them to identify when a request is made and direct it to the appropriate person within your organisation to deal with it.
It is important to note that simply because an individual makes a request in relation to their personal data, for example asking you to erase all personal data you process in relation to them, it does not automatically mean that they are entitled to this. There are specific conditions which apply, for example, if your organisation has an overriding legitimate interest in continuing to process the individual’s personal data, then they cannot exercise their right to erasure.
Two other significant changes which you will need to factor in when it comes to dealing with the rights of individuals in relation to their personal data are; firstly that the general timescale for responding to, and where appropriate acting upon, a request by an individual to exercise one of these rights is 1 month and secondly, unless a request is manifestly unfounded or excessive, then no fee can be charged by an organisation to comply with any of these rights (including the right of access under a subject access request).
In view of the fact that there is a short timescale for dealing with the rights of individuals under GDPR, the fact that they can overlap and that they all operate in different ways, dealing with requests can be very complex. An individual may not be aware of the specific conditions attached to the various rights, which means it will fall to the controller to determine whether the conditions for exercising the right are fulfilled or not. We would suggest that it is good practice for all organisations have an Individuals’ Rights Policy in place to help those within your organisation navigate these rights to determine if and when they can be exercised. The Information Law Team at Geldards has produced a Template Individual Rights Policy which can be used by all organisations. If you are interested in obtaining a copy please don’t hesitate to contact Lowri.Phillips@geldards.com.
INFORMATION LAW >>GELDARDS GUIDE TO GDPR >> EMPLOYMENT >>