So, it’s the final week – and we’ve kept the best for last! GDPR brings with it significantly more rights for Data Subjects. As a result of this, your organisation needs to be prepared so that it can respond effectively to the requests received, or face the consequences. Unfortunately, it is not as simple as creating a few processes to follow when a request comes in, and could require a significant amount of work, both technical and non-technical.
What are the expectations?
Articles 15 to 21 of GDPR lay down the rights of the data subject regarding the processing of their PII. These include the below rights, which must be met free of charge for the Data Subjects:
- Right to be Informed – basically consent to having their data processed
- Right of Access – whether the controller is processing the PII of the data subject
- Right to Rectification – where data is incomplete, this needs to be rectified upon request of the Data Subject
- Right to Erasure – the much talked about ‘right to be forgotten’ should the data not be required, be processed illegally or consent for processing withdrawn
- Right to Restriction of Processing – this may be invoked if the Data Subject is contesting the processing of data, or where the data is no longer being processed but is required for legal reasons
- Right to Data Portability – essentially the Data Subject has the right to have all relevant data packaged up in a format that it can be used by the next organisation. An example of this would be a data subject switching service provider and needs access to their data to make the move
- Right to Object – data subjects can ask that their data is no longer processed in cases such as direct marketing
- Rights in relation to automated decision making or profiling – individuals have the right not to be subject to a decision when it is based on automated processing and it produces a legal effect, or a similarly significant effect on the individual
What does this mean to your organisation?
If you are like most other organisations, it means quite a lot. Some of the requests may not be completely possible. Think about erasure of data – do you even know where data such as historic call recordings are held? Are records, including backups in a format where one record can be removed leaving others intact?
Of all the changes coming in with GDPR, these requests are likely to cause organisations the biggest headache, especially when timing is taken into account. The requests must be responded to in one calendar month. Exceptionally, if you cannot action the request of the Data Subject within one month, then you may ask for a two-month extension, but that extension must be communicated and agreed in the first calendar month.
Now, if you’re a new organisation with modern data storage technology, this may be less of a problem for you to meet. However, there will be a lot of organisations out there with disparate legacy systems where data is stored in a different locations, in formats where records cannot be easily accessed, or even worse, they don’t even know where some of the records may be kept. That will pose a significant problem for many organisations come May 2018.
Do all requests need to be answered?
While it cannot be relied upon wholesale, there are certain situations where a request from a Data Subject can be declined. I’m sure that got your attention, so let’s explore that a little further.
Where requests are ‘manifestly unfounded or excessive’, in particular because they are repetitive, you can charge a reasonable fee taking into account the administrative costs of providing the information; or refuse to respond. Now it is a open to interpretation as to what is ‘manifestly unfounded or excessive’, but if you can make a strong case that, for example, someone wanting to have all data erased, but you know there are calls recorded and stored in backup tapes that would mean that all calls would need to be deleted in order to meet on Data Subject’s request, then that would warrant push back. The problem here however is that while it may save a massive piece of work retrieving or deleting data, pushing back on requests could also be time consuming and can’t be relied upon to close the request. A persistent Data Subject has every right to contact the Supervisory Authority and escalate the request, which could overturn the rejection.
The GDPR does not introduce an exemption for requests that relate to large amounts of data, but you may be able to consider whether the request is manifestly unfounded or excessive.
Practically speaking, the best approach to take is to make sure that any future systems are compliant regarding the requests – if you are buying or developing a new system make sure that all GDPR requests can be processed at the touch of a button. But that is the future and may not be in place ahead of May 2018. So regarding the existing systems, first you need to know what you can do now (or implement easily) to meet the new requests. Once you have that information, you’ll know what you cannot respond to and that needs to be documented. Depending on what those requests are and the mitigating factors may be then they can be considered on a case-by-case basis. Using the earlier example of voice recordings, if you can demonstrate that you are holding the recordings to meet existing customer obligations and that the recordings are locked away and not actively being processed, then there may be a case to have a conversation with the Supervisory Authority to explain the known shortfall. No guarantees, but at least it shows your organisation has done its homework and is keeping an eye on the risks.
Summary of Data Storage & Retrieval
This is going to be a very difficult component for organisations as they move towards compliance with GDPR. There will be instances where the cost of compliance would be prohibitive to the organisation, so those cases need to be identified and reviewed and properly documented. There also needs to be future-proofing for new processes or systems to ensure that opportunities are not missed to build Data Subject rights into on-going or future implementations, ideally through a self-service portal.
In terms of getting started, look at how you would respond to the above Data Subject requests and ask yourself if you can cover each completely in the one calendar month timeframe, or if not, where are your shortfalls and any of them be remediated inexpensively. It is what you are then left with that needs to be considered
End of the 8 Week GDPR plan
So this concludes our whistle stop tour of GDPR and what it means to you as an organisation. Hopefully you found it an enlightening journey and are now in a position where you know what needs to be done to become compliant. Obviously we skimmed over some topics, but the main points have been looked at. Intersys Compliance is available to support you on the entire journey to compliance, or on specific areas that you may be challenged with. Please don’t hesitate to give up a call and let us see how we can help you deal with this large, but important task. Good luck with your GDPR implementation!
Any questions contact about this week or any other GDPR topic, please contact email@example.com
Graeme Riley is an experienced Global CIO with extensive experience in IT Security and Data Protection. He is currently a Director at Intersys Compliance Ltd.