As 25 May 2018 and the coming into force of the General Data Protection Regulation (GDPR) gets ever closer, businesses are bracing themselves for the impact this new piece of legislation will have on the way they operate.

One of the key changes brought about by the GDPR which businesses must be aware of is how individuals’ rights in respect of their personal data have been affected. The GDPR aims to give individuals (whether these be customers, contractors or members of staff) more control over the ways in which businesses process their personal data, and this has led to the granting of new rights for these individuals, as well as enhancing and improving rights that existed under the outgoing Data Protection Act 1998.

The guidance below provides businesses with an opportunity to familiarise themselves with individuals’ rights under the GDPR and helps ensure that they know how and when to respond to an individual wishing to exercise any of these rights. Having this understanding is of vital importance when businesses approach the wider task of avoiding non-compliance with the terms of the GDPR, the fines for which are well documented

The right to be informed

  • You must provide data subjects with various pieces of information about the data processing activities you carry out.
  • This information is usually provided in a Privacy Notice or Privacy Statement.

  • The information must be:
    •  concise, transparent, intelligible and easily accessible;
    •  written in clear and plain language; and
    • free of charge.

The right of access

  • You must provide data subjects with:
    • confirmation their data is being processed;
    • access to their personal data; and
    • other supplementary information.

  • You must comply with any subject access request within one month of receipt.
  • You cannot charge a fee unless the request is “manifestly unfounded or excessive”.
  • Where you process a large quantity of information you can ask the data subject to specify the information they want access to.
  • You may refuse to comply with a subject access request where this is “manifestly unfounded or excessive”.

The right to rectification

  • Data subjects can have their personal data rectified if it is inaccurate or incomplete.
  • You must comply with any request to rectify within one month of receipt. This can be extended to 2 months where the request is complex.

The right to erasure/be forgotten

  • Data subjects have the right for their data to be erased where:

    • the personal data is no longer necessary in relation to the purpose for which it was collected/processed;
    • the data subject withdraws their consent or objects to the processing and there are no overriding legitimate interest to continue processing;
    • the personal data was unlawfully processed or has to be erased in order to comply with a legal obligation; or
    • the personal data is processed in relation to the offer of information society services to a child. 

  • You can refuse to erase a data subject’s personal data where it is processed:
    • to exercise a right of freedom of expression and information;
    • to comply with a legal obligation or for the performance of a task of public interest;
    • for the exercise or defence of legal claims; or
    • for purposes relating to public health, archiving in the public interest, scientific/historic research or statistics.

  • If you have disclosed the personal data to third parties then you must inform them about the erasure of the personal data.

The right to restrict processing

  • Data subjects have the right to restrict the processing of personal data where:
    • they have contested its accuracy;
    • they have objected to the processing and you are considering whether you have a legitimate ground which overrides this;
    • processing is unlawful;
    • you no longer need the data but the data subject requires it to establish, exercise or defend a legal claim.

  • If you have disclosed the personal data to third parties then you must inform them about the erasure of the personal data.

The right to data portability

  • The right to data portability allows data subjects to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
  • It enables consumers to take advantage of applications and services which can use this data to find them a better deal, or help them understand their spending habits.

  • The right to data portability only applies:
    • to personal data a data subject has provided to a controller;
    • where the processing is based on consent or the performance of a contract; and
    • where processing is carried on by automated means.

  • You must provide the personal data in a structured, commonly used and machine readable form (e.g. CSV files).
  • If the individual requests it, you may be required to transmit the data directly to another organisation if this is technically feasible.
  • You must comply with the data subject’s request free of charge and within one month. This can be extended to 2 months where the request is complex or if you receive a number of requests.

The right to object

  • Data subjects have the right to object to:

    • processing based on legitimate interests, the performance of a task in the public interest or the exercise of official authority (including profiling);
    • direct marketing (including profiling); and
    • processing for scientific/historic research or statistics.

  • You must inform data subjects of their right to object as soon as possible.
  • Where the data subject objects to direct marketing you must do so immediately. There are no exemptions or grounds to refuse.
  • Where a data subject otherwise objects to you processing their personal data then you must comply with this request unless you can demonstrate overriding compelling legitimate grounds to continue processing or that the processing is for the establishment, exercise or defence of legal claims.

Rights relating to automated decision making and profiling

  • Data subjects have the right not to be subject to a decision when:

    • it is based on automated processing; and
    • it produces a legal effect or a similarly significant effect on the individual.

  • You must ensure data subjects are able to:

    • obtain human intervention;
    • express their point of view; and
    • obtain an explanation of the decision and challenge it.

  • “Profiling” is any form of automated processing intended to evaluate certain personal aspects of a data subject, in particular to analyse or predict their performance at work, economic situation, health, personal preferences, reliability, behaviour and location.

  • The above right does not apply if the automated decision:

    • is necessary for entering into or performance of a contract between you and the individual;
    • is authorised by law (e.g. for the purposes of fraud or tax evasion prevention);
    • is based on explicit consent; or
    • does not have a legal or similarly significant effect on the data subject.

  • When processing personal data for profiling purposes, you must ensure that appropriate safeguards are in place.

    For example:
    • being fair and transparent about the logic involved;
    • using appropriate mathematical/statistical procedures;
    • implementing appropriate technical and organisational measures to correct inaccuracies and minimise the risk of errors; and
    • keeping personal data secure in a proportionate way.

  • As a general rule, it is best to avoid making automated decisions based on sensitive personal data unless you have the explicit consent of the data subject or have reasons of substantial public interest.

About the author

Patrick McCallum Solicitor

Patrick assists the Outsourcing, Technology and Commercial Team on general commercial matters.