Data Rights and Principles of Processing
Updated on January 10, 2018
This time, you will get a clear overview of the data processing principles and the rights of data subjects. Think of what these mean for your specific needs. We invite you to have a conversation with yourself, your colleagues, and other departments.
The Six Fundamental Principles
- Lawful, fair and transparent handling - Does not require much explanation, but refers to clear communication and abiding the law.
- Limited to purpose - The use of personal data is limited to a purpose, for which their owner gave an informed consent. They should not be further processed, however, the regulation puts an exception on several cases, such as research or statistical purposes.
Minimizing the data - Collect, process and use only the data, which is necessary for purposes as defined above. While some data might be relevant for business analysis (as of who buys what), it might not be necessary in testing environments. Partially anonymized, or generated data-sets might often be able to do the job. On contrary, one might need other data (such as credit card numbers) to conduct a transaction, which are then not necessary for marketing purposes.
- Accuracy - Accurate and up-to date data are vital not only to comply with GDPR, but for any organization which strives to be data-driven. Implement steps that help the company oversee and ideally automate necessary steps.
- Storage limitation - Once the purpose for which the data were collected has been fulfilled, these should be discarded. Again, specific conditions under which these may be kept further apply - for archiving purposes in public interest or other reasons mentioned in Article 89(1)
- Integrity and confidentiality - Last, but not least, data must be kept safe from unauthorized processing and loss. While designing measures to achieve safety, both technical and human factors are to be taken into consideration. It should be very clear at any point who and in which way is handling given data.
These principles and their implementations often revolve around similar topics - knowing your process, sufficient technical protection solution, understanding your IT capabilities. We will dive into these in the upcoming blogs including suggestions for possible solutions.
Data Subject Rights
Processing principles are only one side of the coin. The other is made up of the seven Data Subjects Rights as defined in Articles 15 to 22 of the (EU) 2016/679 regulation.
- Right of access - Although an informed consent is needed for collection and processing of data, institutions still will have to be able to provide information on request. These can span from confirmation whether or not one's data are being processed, eventually which data for which purpose. This includes information on whether or not these are used for automated decision-making and eventually, what is the basic logic and outcomes of such. So be it automated profiling or further purchase suggestions, these will have to be covered. However, where relevant and justifiable, the requested organization will be able to charge a reasonable fee to cover administrative costs of reporting.
- Rectification and erasure - Stemming from the six principles, company data should be kept accurate by default. Yet, if the data subject requests a further update or completion, it must be done without delay. More importantly, the “right to be forgotten” enables anyone to withdraw their consent at any time, excluding situations when the data is necessary to comply with other legislation or where they serve public interest. For being so, companies must be ready to delete information from their storage or even third-party spaces.
- Restriction of processing - Mostly when a dispute emerges, a data subject might request a restriction of processing. This means a (temporary) withdrawal of their consent, which would normally lead to erasure. In cases where the information is needed to e.g. file a case, deleting the data is out of question. For institutions, it adds another functionality necessary to comply.
- Be informed - Informing mostly about altering, completing or deleting user data - not only to the subject, but also to any party, to which it previously was disclosed. This ensures, that the accuracy principle will be fulfilled.
- Data portability - Any data stored about an individual should be transferable to potential providers. While this is common amongst banks, telcos or energy providers, the principle might be new to other sectors.
- Object - Collection for purposes of marketing activities became the daily cup of tea for nearly all businesses operating in the online environment. From May 2018 on, the fact that user data are being processed for profiling and direct marketing needs to be communicated early on while in touch with the user or customer. Consequently, once they execute their right to object, such use has to end.
- Be a subject of an automated decision-making - Last, but not least, where an automated decision-making takes place and could have effects on the concerned individual, they have the right to opt-out. The provision has been subject of legal discussions, still, implementing a clear explanatory system for automated decisions is becoming a good-case practice.
GDPR is a complex and at some places ambiguous document. The execution might be the more challenging when an organization manages several layers of data processing. If you wish to consult your situation with data professionals, simply drop us a mail. In the upcoming blog you can expect an example of customer data-flow mapping, including tips and questions to ask yourself.