Entry 4 of 6

Welcome to the fourth blog in our 6 part series on GDPR. With so much emphasis on the new regulation and the May 25th deadline drawing closer, we wanted to offer you some assistance in addressing the key questions around the new requirements. As you know, acceptcards® are experts in payments… but not so much in data protection regulations, we have invited our friends from Legacy IT Consultants Ltd to write this guest series on our behalf. Enjoy!

The General Data Protection Regulation (GDPR) is an EU regulation that seeks to strengthen and unify data protection for all EU residents. The GDPR introduces some new rights for the individual and strengthens some of the rights that already exist under the Data Protection Act (DPA).

The GDPR provides the following rights for individuals:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling

The right to be informed

The right to be informed encompasses your obligation to provide fair processing information, typically through a privacy notice or privacy policy.

Considerations for a privacy notice under GDPR include:

  1. Simple language
  2. Clear font and style (for instance avoid italics)
  3. Clear and separate opportunity to agree to each processing activity, for instance marketing, separated by channel The right to be informed emphasises the need for transparency with respect to how you use personal data. Much of the information that you should provide is consistent with existing obligations under the DPA, but there is some additional information that you are explicitly required to provide.

The information you provide about the processing of personal data must be:

  1. Concise
  2. Transparent
  3. Intelligible
  4. Easily accessible
  5. Written in clear and plain language
  6. Free of charge

The data that should be provided is:

  1. The identity and contact details of the Data Controller (and where applicable the Data Controller’s representative) and the Data Protection Officer
  2. Purpose of the processing and the lawful basis for this processing
  3. The legitimate interests of the Data Controller or third party, where applicable
  4. The categories of personal data involved (only necessary for that obtained by third parties and not that provided by the individual)
  5. Any recipients, or categories of recipients, of personal data
  6. Details of transfers to third countries and appropriate safeguards
  7. Retention period or criteria used to determine retention period
  8. The existence of each of the individual’s rights
  9. The right to withdraw consent at any time (if relevant) and the mechanism to withdraw consent
  10. The right to lodge a complaint with the supervisory authority
  11. The source the personal data originates from and whether this is public domain (only necessary for that obtained by third parties and not that provided by the individual)
  12. Whether the personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data (only necessary for that obtained from the individual)
  13. The existence of automated decision making, including profiling, information about how decisions are made, and the significance and consequences to the individual Where the individual supplies the data the privacy notice should be provided at the time the data is obtained. Where the data is obtained from a third party the individual should be informed within a reasonable period of time (and certainly within one month). If the data is used to communicate with the individual, then the information should be provided at the time of first communication. If the data is to be shared with a third party the information should be provided to the individual before the data is shared.

The right of access

Individuals have the right to access their personal data and supplementary information. This right enables individuals to be aware of and verify the lawfulness of the processing of their data.

Under the GDPR this right allows access to:

  1. Confirmation that their data is being processed
  2. Access to their personal data
  3. Other supplementary information – this largely corresponds to the information that should be provided in a privacy notice

These are similar to the details under the DPA. However, there are a number of considerations that you need to be aware of:

  1. You must provide a copy of the information free of charge. Under the DPA it was permitted to charge a £10 fee to provide the information.
  2. There is provision to charge a reasonable fee when a request is unfounded, excessive and / or repetitive.
  3. There is also provision to charge a reasonable fee to comply with requests for further copies of the same information. The fee must be based on the administrative cost of providing the information.
  4. The timescale to provide the information is 30 days. Under the DPA this was 40 days.
  5. There is provision to extend this timescale by up to two months if requests are particularly numerous or complex. If you are seeking to extend the timescale you must inform the individual within one month of receiving the original request, and you must explain why the extension is necessary.
  6. You must verify the identity of the person making the request.
  7. If the request is made electronically you should provide the information in a commonly used electronic format.
  8. Where you process a large quantity of information about individuals, you are permitted to ask the individual making the request to specify the information that the request relates to.

The right to rectification

Individuals have the right to have their personal data rectified if it is inaccurate or incomplete.

Again, there are considerations:

  1. If the data has been disclosed to third parties, you must also inform the third parties of the rectification.
  2. You must respond to a request for rectification within one month.
  3. This can be extended by a further two months if the request is complex.
  4. Where you are not acting in response to a request for rectification you must explain your reasons to the individual, as well as reiterating their right to complain to the supervisory authority.

The right to erasure (the right to be forgotten)

The right to erasure enables an individual to request the deletion or removal of personal data where there is no reason for its continued processing, including storage. Under the GDPR there is a significant change to this right compared with the DPA. The new legislation removes the limitation that the right to erasure can only be enforced for processing that causes unwarranted and substantial damage or distress.

Individuals have a right to have personal data erased and to prevent processing in specific circumstances:

  1. When the personal data is no longer necessary in relation to the purpose for which it was originally obtained.
  2. When the individual withdraws consent.
  3. When the individual objects to the processing and there is no overriding legitimate interest to continue the processing.
  4. When the personal data has been unlawfully processed.
  5. When erasure is necessary to comply with a legal obligation.
  6. When the personal data is processed in relation to the offer of information society services to a child. There are some specific circumstances where the right to erasure does not apply and you can refuse to deal with such a request.

These include:

  1. To exercise the right of freedom of expression and information.
  2. To comply with a legal obligation or for the performance of a public interest task or exercise of official authority.
  3. For public health purposes in the public interest.
  4. For archiving purposes in the public interest, scientific research, historical research or statistical purposes.
  5. For the exercise or defence of legal claims. If you have disclosed the personal data that is subject to erasure to third parties, you must inform them about the request wherever it is practical to do so. The right to erasure extends to the online world to include organisations who make personal data public. They must inform third parties who process the data to erase links and copies of the data. This is particularly relevant to social media, forums, blogs, etc.

The right to restrict processing

The right to restrict processing is similar to the right to block or suppress processing under the DPA. When processing is restricted you are permitted to store the data but not to further process it. An organisation is permitted to retain enough information about an individual to ensure that the restriction continues to be implemented.

Circumstances that permit the right to restrict processing include:

  1. Where an individual contests the accuracy of the personal data (relevant until you have verified the accuracy of the personal data).
  2. Where an individual has objected to the processing (relevant where you are considering your organisation’s legitimate interest).
  3. Where processing is unlawful.
  4. Where you no longer need the personal data, but the individual does in relation to a legal claim. If you have disclosed the personal data that is subject to restriction to third parties, you must also inform the third parties about the restriction. You must inform individuals when you lift a restriction on processing.

The right to data portability

The right to data portability allows individuals to obtain and reuse their personal data in electronic form for their own purposes across different services in a safe and secure way.

The right to data portability only applies in these circumstances:

  1. To personal data an individual has provided to a Data Controller
  2. Where the processing is based on consent or for the performance of a contract
  3. Where processing is carried out by automated means You must provide the personal data in a structured, commonly used and machine-readable form, for instance CSV. The information must be provided free of charge. The individual may request that an organisation transmits the data directly to another organisation. However, this may not be achievable technically, and organisations are not required to ensure compatibility with IT systems outside of their own.

The considerations for the right to data portability are:

  1. You must respond to an information request within one month
  2. This can be extended by a further two months where the request is complex or you receive multiple requests.
  3. If you are seeking to extend the timescale you must inform the individual within one month of receiving the original request, and you must explain why the extension is necessary.
  4. Where you are not acting in response to a request for data portability you must explain your reasons to the individual, as well as reiterating their right to complain to the supervisory authority.

The right to object

Individuals have the right to object to processing. They must have an objection on “grounds relating to his or her particular situation”. These requirements are similar to existing rules under the DPA.

Individuals can object to processing that is:

  1. Based on legitimate interests or the performance of a task in the public interest / exercise of official authority.
  2. Direct marketing (including profiling).
  3. For scientific / historical research and statistics. If your processing falls into any of these categories and is undertaken online, you must allow individuals to object online. The objection must be based on individual circumstances.

The processing of personal data must be stopped except where:

  1. You can demonstrate compelling legitimate grounds which override the interests, rights and freedoms of the individual.
  2. It is for the establishment, exercise or defence of legal claims. You must inform individuals of their right to object in your first communication with them. This must be explicit, clearly presented, and separate from any other information. In the case of an objection to direct marketing you must stop processing personal data immediately, at any time, and free of charge. There are no exemptions or grounds to refuse.

Rights related to automated decisioning and profiling

These rights work in a similar way to existing rights under the DPA.

The GDPR allows individuals to challenge decisions made by completely automated means, and it allows them to ensure that they are not subject to a decision when:

  1. It is based on automated processing
  2. It produces a legal effect or similarly significant effect such as financial on the individual

Individuals must be able to:

  1. Obtain human intervention
  2. Present their point of view
  3. Have the decision explained
  4. Be able to challenge the decision

This is not an absolute right. It does not apply where:

  1. The processing is necessary for entering into or for the performance of a contract
  2. The processing is authorised by law
  3. The processing is based on explicit consent The GDPR defines profiling as and form of automated processing intended to evaluate certain personal aspects of an individual.

Particular profiling activities could be used to evaluate:

  1. Performance at work
  2. Economic situation
  3. Health
  4. Personal preferences
  5. Reliability
  6. Behaviour
  7. Geographical location
  8. Geographical movements

When profiling using personal data you must:

  1. Ensure that processing is fair and transparent by providing meaningful information about the logic involved, as well as the significance of the processing and potential consequences.
  2. Use appropriate mathematical or statistical procedures for the profiling.
  3. Employ appropriate technical and organisational steps to ensure that inaccuracies can be corrected and to minimise the risk of errors.
  4. Employ appropriate security measures across personal data to protect the interest and rights of the individual to prevent discriminatory effects.

For more information, advice or assistance on the GDPR please visit the Legacy IT website here or email them at enquiries@legacyit.co.uk

Author: Mike Madden – Legacy It Consultants Ltd.