Under the GDPR there are eight Data Subject Rights granted to individuals over the personal data they provide us, these are;
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- The right to not be subject to automated decision making or profiling without human intervention
1. The right to be informed
Key to meeting a businesses obligations of "Transparency", the right to be informed means that businesses must tell individuals whose data they process, specific information, as soon as is possible and in a manner which the individuals can understand. This means taking into account considerations like disability, for example, simple terminology for children or people with learning difficulties, or brail/audio for blind people.
All individuals must be informed, either
- at the point of collecting thier information; or
- on the first communication after obtaining their information from another source other than the individual themselves
If you obtain data from another source, the law requires that you inform the individuals you have it, along with all other prescribed disclosure, within one calendar month.
Also, if you plan to disclose (share) the information to another party outside your organisation, you must inform the individuals before you make that disclosure as they may have a right to object to that disclosure.
In order to meet your transparency obligations, you will need to disclose;
- Your organisations and/or it's representatives name and contact details.
- The name and contact details of your Data Privacy representative.
- If you have appointed a Data Protection Officer, their Name and Contact Details.
- The "Purpose" or reason for processing the person's data.
- Which Lawful Basis you are relying upon to lawfully process that data.
- If that Lawful Basis is "Legitimate Interest", what that legitimate interest is.
- If the information is not obtained directly from the individual themselves;
- The categories of personal data you have obtained
- From where personal data has been obtained
- Ideally the names, but at least the categories of any parties with whom the information is shared (including cloud service providers where you use them for storage of personal data).
- If personal data is to be shared, transferred or otherwise stored outside the EU, details of those international countries and organisations, along with the measures you use to ensure continued security and privacy of that information
- How long you will retain that information for, which must be a defined period that the individual can understand (e.g. 6 months or 7 years) and not phrases like "as long as we are legally allowed" or "as long as we are legally required"
- You must explain the individuals rights, particularly where a right may not apply
- You must also inform the individual of how to lodge a complaint with your privacy officer, and to escalate this to the Information Commissioners Office if they are unhappy with the result of a complaint.
- Details of any automated decision making, including profiling that may be conducted and how to exercise their right to human intervention (see 8 below).
2. The right of access
Commonly referred to as a "Subject Access Request" (SAR) or a "Data Subject Access Request" (DSAR), this right confers that individuals can, at any time, and as often as they like (within reason) to request you both confirm processing of their personal data, what personal you are processing.
Although called the right of access, you do not have to give physical access to the data however it is recommended that if this is possible, you do. Such ability for the individual to securely log in and view the information held, review past orders and update information will also help you comply with other Data Subject Rights such as the right to rectifcation too.
You must either;
- Give access via a secure means as described above;
- Provide a copy of the information securely; or
- allow the individual to view the information at your premises if it is not possible, or deemed to insecure to send the information to the individual
Although you must provide everything you hold about or relating to that individual (including emails between other parties or handwritten notes), you must not provide the personal details relating to any other person. This may mean that you can exclude documents which by virtue of thier existence would identify to the data subject the author of that document (e.g. a line managers appraisal). You must always inform the individual of any documents you hold which you cannot provide. This can be particularly complex and confusing and is where having a suitably knowledgeable data protection advisor on hand will help you.
A Subject Access Request can be made to anyone in your organisation (even to a temp or a trainee), does not have to be in any prescribed form and does not have to be sent to a specific person or department, nor contain any particular terms or phrases. You cannot require that an individual completes a form although many businesses request this on the basis that it ensures the individual provides all the information you need to exercise that request promptly and by completing the form, the individual will be helping you to help them.
Whichever channel (by post, telephone, email, web, social media) is used to make the request is generally the channel you should use to respond to it, unless directed by the individual to respond in another way. So for example, if a request is made in writting, you must print off and send physical documents by a secure postage method. You can imply that you would normally send information by a particular secure method and would they find this acceptable, but you cannot enforce that method upon them.
When a request is made, it has to be what is termed a "Valid Request". This means that you must be satisfied that the individual making the request is either the Data Subject themselves, or a representative authorised by the Data Subject to make the request on their behalf. If you hold data that you can be confident that only the individual will know, it is generally sufficient to ask them to provide that information as a means of identifying them. If you do not, you may ask for a utility bill or a government document that contains their name and address as you hold it. This "validation" is at your discretion however be warned, if you disclose personal data to a party other than the data subject or their nominated representative, even if you thought they were that person, you have committed a data breach!
All subject requests must be completed within one calendar month. That "clock" starts from the moment your organisation receives a valid request, which is not necessarily when the person who deals with it receives it. For example;
- If you receive a request on the 26th February, you have until the 26th March to respond.
- If your receptionist receives a request on the 26th February but doesn't tell you until the 10th March, you still only have until the 26th March to respond.
- If you receive a request on the 26th February and need to validate that persons identity, which they do and is received by you on by you on the 1st March, you have until the 1st April to respond.
You must always notify the individual when a valid request has been received and by when to expect your response.
There are limited circumstances where you can legitimately claim a further two months to respond to an access request, adn you you must be able to demonstrate these, which are;
- where the request is particularly complex, and will take longer to respond than normal; or
- where you have been inundated with requests and do not have the capacity to respond to all of them within the one month timeframe
Regardless of when a request is received, the above timeframes are the "limits" not targets. If you can respond within 1 week, you must.
Finally, you may not charge for a right of access request, except in exceptional circumstances, or where you can prove (from prior request records for example) that the data subject is making repeated requests for the same information. The GDPR does allow you to reject such a request or to omit information that has been provided on a prior request, or is available to that individual directly.
Circumstances where you are permitted to charge a nominal administration fee to cover your costs are;
- Requests for information provided previously (repeat requests or requests for duplicate copies)
- Requests that ask for multiple copies (the first must be free of charge but copies can be charged for)
- Where there is a significant amount of information and the cost to send it would be excessive, although you should offer for the individual to be able to collect it.
Because a request can be made to anyone, in any form and must be responded to within specific timeframes, it is vitally important then that everyone in your business understand both how to recognise a Subject Access Request, and who within your business to escalate it to.
Consent if the lawful basis that most people have heard of and the one with the most contentious coverage.
You may have heard many so called "experts" saying that everything under GDPR has to have consent. This is simply untrue, however consent itself has to be given and cannot be assumed.
There is a clear definition in law of what constitutes consent, and if all the following are not met, that consent would be considered invalid and unlawful;
- It must be absolutely clear what an individual is consenting to so that they can make an informed decision as to whether to consent.
- It must be as easy to "withdraw" consent as it is to grant consent.
- Consent must be "given" by means of an explicit action, such as the clicking of a button, selecting of an option, ticking of a box or otherwise.
- An individual must not feel compelled to grant consent. If the individual would be unfairly disadvantaged by not granting consent, the consent if not freely given.
- There must not be an "imbalance of power" where an individual feels that they must give consent or suffer some consqeuence for not giving that consent
4. Vital Interest
For most businesses, this will only really come into play in an employment or health and safety context however that is not to say there will not be a Vital Interest in other scenarios.
A "Vital Interest" is where there is a significant risk to someone's life. For example, if you know that a person is considering self-harm, suicide, or has fallen from a ladder or otherwise seriously injured themselves and thier life is in danger, you can process their personal data in order to provide them reasonable assistance, such as calling emergency services, a doctor or family and friends.
5. Public Task
Not to be confused with the "Public Interest" basis of processing Special Category data, a Public Task is an activity carried out by or on behalf of a public body.
To rely upon this basis you must be able to demonstrate that the processing is;
- Necessary in the exercise of an official authority, such as functions which are set out in law (policing, health and social care etc); or
- to perform a specific task that is in a public interest set out in law
6. Legal Obligation
Almost every business will process an amount of personal data as part of a Legal Obligation.
Businesses are legally requried to maintain accounting records, which will include details of customers and suppliers, so processing the personal data in an accounting context is a legal obligation. Likewise, if you have Employees, you'll likely process their personal data under your legal obligation to record and report on Benefits, Income Tax, National Insurance and Pension Contributions.
With the COVID-91 Pandemic in mind (and just to be clear, this is NOT what is currently legislated), in the event the UK government legislated that every retail or hospitality venue must by law collect the personal details of every guest or visitor, those establishments could lawfully collect and process that personal data for that specific purpose using the Legal Obligation lawful basis.
Finally, when considering a lawful basis, you must also consider your data retention obligations.