GDPR series - #5 - Individuals' Rights

In part 5 of 5, Ian Inman discusses new rights introduced by the General Data Protection Regulation (GDPR)

Published: 19th September 2017

Ian Inman recently joined Cox Automotive UK as Head of Privacy & Data Protection. In this series of blog posts he will give readers an overview of the General Data Protection Regulation (GDPR) and its implications.

The General Data Protection Regulation: Individuals’ Rights

In this final blog of my series on the GDPR, I decided to cover how it builds on and strengthens the rights of individuals regarding their personal data.

The rights we all know and love are still there: individuals will still have a right of access to their personal data, and the right to object to the processing of their personal data for direct marketing purposes, for example. Some of these rights have changed slightly from how we understand them today, but I focus here on some of the new rights that the GDPR introduces.

Article 17 - The Right to Erasure

Also known as the right to be forgotten, this is perhaps the most widely known of the new rights. Under the current data protection regime, there is a general requirement not to keep personal data longer than you need it. However, individuals have no right to get personal data deleted. Article 17 looks to change that but the right itself is not absolute.

Article 17 says that an individual shall have the right to obtain from organisations ‘the erasure of personal data concerning him or her without undue delay’. It then lists 6 specific circumstances where an ‘obligation to erase personal data’ arises. These are:

Together, these mean the right only arises in very specific circumstances and it may not arise at all. Article 17(3) sets out some specific purposes for processing where the right to erasure does not apply. These include, for example, where the processing is necessary for compliance with a legal obligation or where the processing is necessary for establishing, exercising or defending legal claims.

Article 17 seems simple – If any one of the circumstances set out in Article 17(1) applies and none of the circumstances set out in Article 17(3) apply, then an obligation to erase personal data arises. This could lead to problems, however: if you receive an objection to direct marketing you may want to retain a record of that person’s contact details on a suppression list so you don’t market to them again. Is this still possible if an obligation to erase occurs as soon as the objection is raised? It will be interesting to see how this right is applied in practice!

Article 18 - Right to restriction of processing

The right to restrict processing is designed to supplement other areas of data protection, and so it too only arises in certain circumstances. These are:

The key thing to note here is that where any of the above apply and processing is restricted, personal data cannot be processed (other than storage) without the consent of the individual. The GDPR gives some examples of mechanisms to secure the restriction of processing, such as moving the data to another system, making it unavailable to users or temporarily removing published data from a website.

It also makes clear that for data processed in automated filing systems like computer databases, this right should be achieved in such a way that:

Article 20 – Right to data portability

This right is designed to complement the right of access to personal data. It applies to:

In simple terms the right affords the individual the ability to receive the personal data in question ‘in a structured, commonly used and machine readable format’ as well to be able to send that personal data to another organisation and also, potentially, directly from one organisation to another.

The Article 29 Working Party have said that the reference to personal data provided to the organisation by the individual should not be read too narrowly. It could include information observed from the activity of users such as activity logs, history of website usage or search activity.

All of these rights raise key questions for businesses – Bearing in mind the obligations of privacy by design and default, are your IT systems capable of enabling you to comply with these rights? Do you know on what basis you process personal data? This can change how some rights apply or even if they apply at all.

That is all for this series of blogs, but we are looking at other ways of getting more information out there to help people understand the new law, particularly in the automotive sector.

Catch up on part 1part 2, part 3 and part 4 of this 5-part series.

Our Blog for the latest news, views and market intelligence.

image-1594

Big Data LDN 2017: Cox Automotive – Big Data Journey

Allison Nau, Managing Director of Cox Automotive Data Solutions, spoke at Big Data London - watch the video here.

Read more
Data 17th January 2018
image-1590

Blue and White paper - GDPR and the automotive industry

We outline what is new vs familiar, and offer practical steps you can take today

Read more
Data 7th December 2017
image-1583

Cox Automotive Data Solutions sponsor the AM Magazine Data special edition

In November Cox Automotive Data Solutions sponsored the Data special edition of AM Magazine - find out what we talked about.

Read more
News 7th December 2017
image-1582

Why Digital Analytics Matters

Digital Analytics & Your Automotive Business - Modix explains why analytics is crucial to the dealership of today.

Read more
Data 28th November 2017