The rights of data subjects with respect to their personal data are being expanded under the EU General Data Protection Regulation (GDPR), impacting the business processes of data controllers and processors. At OneTrust, our customers are particularly concerned with how they will facilitate, manage and handle requests from data subjects looking to exercise these rights, as well as the complexities that lie in within each distinct right.
The GDPR provides individuals with a variety of rights over the processing of their personal data. These rights allow individuals to have control over, and place limits on, the collection, use and disclosure of their personal data, and places certain obligations on data controllers with respect to those rights and on data processors to assist controllers with those obligations. While many of these rights exist today under the EU Data Protection Directive, there have been some significant additions. This article will focus on the three rights that we hear our customers asking about the most – the right of access, the right to erasure, and the right to data portability.
Data subject rights – Requirements and considerations
Specific obligations and requirements exist with respect to each of these rights. However, the general obligations of controllers, under Article 12, include:
Providing information to data subjects in a concise, transparent, intelligible and easily accessible form, using clear and plain language;
Providing the information in writing, or by other means, including, where appropriate, by electronic means;
Facilitating the exercise of data subject rights;
Providing information on action taken on a request to the data subject without undue delay and in any event within one month of receipt of the request; however, that period may be extended by two further months where necessary, taking into account the complexity and number of the requests;
Informing the data subject of any such extension within one month of receipt of the request, together with the reasons for delay;
Where a request is made by electronic form means, providing the information by electronic means where possible, unless otherwise requested by the data subject;
Where a controller does not take action on a request, informing the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy; and
Providing information free of charge; however, a reasonable fee, taking into account administrative costs, may be charged where requests are manifestly unfounded or excessive, in particular because of their repetitive character.1
There are also specific exceptions that exist where a controller may refuse to act on a request:
Where the controller is able to demonstrate that it is not in a position to identify the data subject (e.g., where a call center employee is unable to authenticate a caller);2 or
Where requests are manifestly unfounded or excessive, in particular because of their repetitive character (e.g., spammers).3
Additionally, where a controller has reasonable doubts concerning the identity of the individual making the request, the controller may request additional information necessary to confirm the identity of the data subject.4
As a result, controllers have a lot to keep in mind, and data processors will need to understand these requirements as well so that they can assist the controller with fulfilling their obligations.5 Controllers should also consider updating their standard operating procedures for handling requests, and incorporate processes for evaluating whether they have a right to deny the request. As with other aspects of data subject rights compliance, OneTrust privacy management tools can also assist with quickly weeding out illegitimate requests and thus helping controllers to focus on the requests that are legitimate.
Along those lines, this expansion under data protection law presents an opportunity for controllers to incorporate their data subject request process with other processes like customer support and incident response. For example, many customer support teams (or “help desks”) have already been informally handling data subject requests (knowingly or not), but moving forward these teams will need to be trained on how to follow GDPR requirements, while also ensuring proper documentation and tracking that allows for quality oversight and accountability.
Another example is in the area of breach response procedures, which could be updated to contemplate that a breach could result in an incoming wave of data subject requests, and resources should be allocated to handle that. Similarly, personnel should be ready for data subject requests to come in after a new product release or marketing campaign.
These examples highlight the importance of creating standard operating procedures for personnel to follow when responding to these situations, and setting up a network of privacy champions throughout the organization who can assist with implementation and oversight.
Right of access – Article 15, Recitals 63-64
The right of access gives data subjects the right to obtain confirmation of whether the processing of their data is occurring, as well as to access a copy of that data, and information about the processing itself—e.g., the purpose of processing, the categories of personal data concerned, the recipients of the personal data, retention periods, and more.6 Additionally, where the processing involves automated decision-making (including profiling), the controller must provide information about the logic involved in that decision-making, as well as the significance and envisaged consequences of the processing (demonstrating the importance of data protection impact assessments).7
Protecting the rights and freedoms of others
Here, the ability to redact information is critical, as controllers must ensure that fulfilling a data subject’s request to exercise this right does not adversely affect the rights and freedoms of others, (including the interests of the controller itself). This leads to a variety of questions that controllers need to consider upon receiving such a request.
For example, the recording of customer support phone calls is common practice in the service industry, but let’s say that a disgruntled customer makes a request for a copy of a particular phone call under their right of access—would the controller be obligated to provide the data subject with a copy of the call, and if so, what would what look like? Would it have to be the recording itself, or would a transcript suffice? In the case of transcription, what if the data subject argues that the audio of their voice is personal data? Moreover, perhaps the controller has reason to be concerned about the privacy or safety of their employee and wishes to redact portions of the phone call to ensure their protection—would such a redaction be appropriate in this case?
These are difficult questions, with good arguments on both sides. At the end of the day, however, and regardless of the controller’s decision, it will be critical to thoroughly document the reasoning behind that decision and communicate it to the data subject, and if called upon, to a EU supervisory authority.8
Free of charge and electronic access
Additionally, the initial copy of the data must be free of charge to the data subject; and, if the data subject’s request for access is made electronically, then the data must be provided back to them in an electronic form. Also, Recital 63 of the GDPR states that “[w]here possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data.” In pursuit of these aims, and to mitigate security risk, controllers may opt to use tools specifically designed for communicating with data subjects and handling their requests in an efficient and secure manner.
Specifying a subset of data
An important caveat to the right of access is found in Recital 63, which states that “[w]here the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.” This concept of being able to ask a data subject to specify a sub-set of data for access was also referenced by the Article 29 Working Party in their “Guidelines on Automated individual decision-making and Profiling.”9
Right to erasure
On the surface, the right to erasure may seem simple and straightforward—it provides data subjects with the right to have their personal data deleted or removed. However, upon further inspection, this right is not as absolute as it may seem.
First, controllers only have to comply with an erasure request in limited situations. These situations include where the data is simply no longer necessary for its purpose; where the data subject has withdrawn their consent and there is no other legal basis for processing; where the data subject successfully exercises the right to object (another qualified right); where the processing is unlawful; or where erasure is required by some other EU or Member State law.10
Exceptions to erasure
Additionally, there are specific exceptions to the right to erasure. Those exceptions are: where the processing is necessary for exercising the right of freedom of expression and information; necessary for compliance with a legal obligation; necessary to carry out a task in the public interest or in the exercise of official authority vested in the controller; necessary for reasons of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; or necessary for the establishment, exercise or defense of legal claims.11
The ‘Right to be Forgotten’
A valid erasure request may also need to be communicated to any recipients to whom the personal data have been disclosed to by the controller (unless impossible or involving disproportionate effort); and if requested by the data subject, the controller must inform the data subject of who those recipients are.12
This ‘right to be forgotten’ is expected to come into play online in particular. For example, if a controller has made the personal data in question public, they may need to track down and erase any links to or copies or replications of the personal data that are in their control, and take reasonable steps (taking into account available technology and the costs of implementation) to notify any third-parties who are processing the personal data that the data subject has requested erasure of any links to, or copy or replication of the personal data.13
The right to erasure is also tricky from the standpoint of demonstrating compliance with the GDPR. For example, how does a controller demonstrate that they have complied with an erasure request if they have erased the individual’s data; and if the controller has to keep a record of the erasure, then how are they able to truly comply with the request? There is no straight-forward answer, unfortunately, but controllers should keep data minimization and purpose limitation, as well as any local archiving obligations, in mind when determining what records to keep in order to demonstrate compliance. while not retaining more information than is necessary to do so.
Right to data portability
Next up is one of the most, if not the most, talked about data subject right introduced by the GDPR. The right to data portability gives data subjects the right to receive their personal data in a structured, commonly used and machine-readable format, as well as to have that data transmitted to another controller where technically feasible.14 This does not mean, however, that controllers must maintain compatibility with other services; but rather, they should ensure interoperability. Essentially, Article 20 is intended to better enable data subjects in having the freedom to switch service providers without losing the information they have provided and created about themselves.
Like the right to erasure, the scope of this right has some limitations. Specifically, it applies only to personal data that have been provided by the data subject, where the processing is based on either consent or contract, and is carried out by automated means (i.e., no paper records).15
In the Article 29 Working Party’s “Guidelines on the right to data portability,” the Working Party stated that personal data provided by the data subject should include not only “data actively and knowingly provided by the data subject” (e.g., mailing address, user name, age, etc.), but also “observed data provided by the data subject by virtue of the use of the service or the device” (e.g., search history, traffic data, location data, etc.) which could even include “other raw data such as the heartbeat tracked by a wearable device,” thus greatly expanding the scope of the right to data portability.16 Further, the Working Party stated that the data “provided by the data subject” should not include “inferred data” or “derived data” such as a credit score or the outcome of an assessment regarding a user’s health.17
However, in response to these guidelines, the EU Commission has voiced concerns that the Working Party has taken too broad an interpretation of what the GDPR means by personal data “provided by the data subject.” For now, at least, controllers should consider erring on the side of caution and apply the Working Party’s broad interpretation, until further clarification is provided (if and when that happens).
Protecting Your Proprietary Information
One example of data portability used by the Working Party in their guidelines was of porting data between music streaming services.18 For example, perhaps an individual wishes to have their music listening history ported from one service to another, including their library or playlists, lists of songs they have liked and disliked, their user preferences, etc. Setting aside the question of whether a user’s music library is personal data, another is what to do if fulfilling a data portability request could implicate the proprietary information used behind these services—can a service provider deny a portability request if it would compromise their proprietary information; or, could the information be redacted?
Again, it is important that controllers protect the rights and freedoms of others (including the interests of the controller) when fulfilling a request to exercise the right to data portability. Therefore, it will be important for controllers to ensure the ability to redact information, and have processes in place to review it, before generating copies for the data subject or transmitting the data to another controller on the direction of the data subject.
With the coming of the GDPR on 25 May 2018, a variety of new issues will need to be considered when handling data subject requests, including the various exception cases for when a request need not be fulfilled, response times, identity validation, security requirements, and more.
For many companies today, handling data subject requests is fairly straightforward—contact information is provided in privacy policies, and data access requests are handled via email or mail. However, for the myriad reasons stated above, additional preparations are needed in order to be ready for when the floodgates open on 25 May 2018. In most cases this means updating, or introducing for the first time, standardized processes for submitting, receiving and managing data subject requests, and at the end of the day, demonstrating compliance with the GDPR.