The EU General Data Protection Regulation (GDPR), which came into effect on 25th May 2018, was introduced to give EU citizens more control over how their personal data is collected, stored, and used. The regulation places a lot of emphasis on consent and ensures that consumers have the right to access, move, modify and remove their personal data, upon request. They also have the right to deny companies the right to sell their data to third parties. A failure to comply with the GDPR could prove to be costly, with fines of up to €20 million, or 4% of global turnover (whichever is higher). Were we to include Amazon’s whopping €746 million GDPR fine for allegedly breaking EU data privacy laws, this would push the total amount of all GDPR fines to date above €1 billion, although Amazon has since announced that they are going to appeal the fine.
What Specific Privacy Rights do Consumers Have Under the GDPR?
Consumers have the following rights under the GDPR:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure/right to be forgotten
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Below is a more detailed breakdown of each of these rights:
The right to be informed
Consumers must be informed about how their personal data is collected and used. This includes information about why they are processing their personal data, how long they intend to keep it, and who they intend to share the data with. The information provided must be clear, concise, and easily accessible.
The right of access
Consumers must be allowed to access the information an organization holds about them in order to verify the legitimacy of their processing activities. There are no strict requirements that stipulate how an individual requests access to their data. As such, it would be a good idea for organizations to keep a record of all requests (both written and verbal) to be on the safe side. Organizations are required to provide a copy of the information free of charge and must provide the information within a month of receiving the request.
The right to rectification
Consumers must be allowed to rectify their data if they feel it is inaccurate, incomplete, or out-of-date. Organizations are required to respond to consumer requests and make the necessary changes within one month of receiving them.
The right to erasure & The right to restrict processing
Consumers have a right to request the removal of their personal data, as well as prevent or restrict the processing of their personal data. The right to erasure is perhaps the most controversial part of the GDPR, as data processors would not only be required to remove the requested data but would also be required to contact all parties with whom they have shared the data and ask them to remove it as well. While this is not always feasible, the data processor is required to take into account the “available technology and the cost of implementation, and then take reasonable steps” to ensure the data is removed.
The right to data portability
In addition to requesting access to their personal data, the consumer must also be able to port their data from one platform to another in a safe and secure way. The consumer’s personal data must be provided in a structured, commonly used and machine-readable format and the data subject should have the right to have their personal data transferred directly from one controller to another, where technically feasible.
The right to object
In certain circumstances, consumers have a right to object to the way an organization is using their personal data, such as when a company is using their personal data for direct marketing purposes. The consumer can file their objection both verbally and in writing. Companies are obligated to inform their customers about their right to object, and they must respond to objections within one month of receipt. The company may be able to continue processing their personal data if they are able to provide reasonable justification for doing so.
Rights in Relation to Automated Decision Making and Profiling
According to Article 22 of the GDPR, “The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly affects him or her”. In other words, any decisions that are made which may affect an individual in some way should involve some kind of human intervention to ensure that the processing is carried out fairly and accurately. This applies specifically to decisions that affect a data subject’s legal status or legal rights. For example, if an online credit application is rejected by a company, this could affect an individual’s credit score. Likewise, a recruitment agency might make automated decisions about the employability of a given data subject, which might hinder their chances of finding work.
How to Protect Consumer Privacy Rights
A full breakdown of how to protect personal data is beyond the scope of this article, however, in the context of being able to comply with Subject Access Requests (SAR’s), it is crucially important that you know exactly what personal data your store, where it is located, who has access to it, and why.
You must also ensure that you have a record of all events concerning the personal data you store, and receive real-time alerts when it is accessed/used in a manner that would be deemed suspicious.
Having this information at your fingertips will make it significantly easier to respond to SAR’s, and demonstrate compliance to the supervisory authorities, thus avoiding potentially costly fines.