GDPR series - #5 - Individuals' Rights

In part 5 of 5, Ian Inman discusses new rights introduced by the General Data Protection Regulation (GDPR)

Published: 19th September 2017

Ian Inman recently joined Cox Automotive UK as Head of Privacy & Data Protection. In this series of blog posts he will give readers an overview of the General Data Protection Regulation (GDPR) and its implications.

The General Data Protection Regulation: Individuals’ Rights

In this final blog of my series on the GDPR, I decided to cover how it builds on and strengthens the rights of individuals regarding their personal data.

The rights we all know and love are still there: individuals will still have a right of access to their personal data, and the right to object to the processing of their personal data for direct marketing purposes, for example. Some of these rights have changed slightly from how we understand them today, but I focus here on some of the new rights that the GDPR introduces.

Article 17 - The Right to Erasure

Also known as the right to be forgotten, this is perhaps the most widely known of the new rights. Under the current data protection regime, there is a general requirement not to keep personal data longer than you need it. However, individuals have no right to get personal data deleted. Article 17 looks to change that but the right itself is not absolute.

Article 17 says that an individual shall have the right to obtain from organisations ‘the erasure of personal data concerning him or her without undue delay’. It then lists 6 specific circumstances where an ‘obligation to erase personal data’ arises. These are:

Together, these mean the right only arises in very specific circumstances and it may not arise at all. Article 17(3) sets out some specific purposes for processing where the right to erasure does not apply. These include, for example, where the processing is necessary for compliance with a legal obligation or where the processing is necessary for establishing, exercising or defending legal claims.

Article 17 seems simple – If any one of the circumstances set out in Article 17(1) applies and none of the circumstances set out in Article 17(3) apply, then an obligation to erase personal data arises. This could lead to problems, however: if you receive an objection to direct marketing you may want to retain a record of that person’s contact details on a suppression list so you don’t market to them again. Is this still possible if an obligation to erase occurs as soon as the objection is raised? It will be interesting to see how this right is applied in practice!

Article 18 - Right to restriction of processing

The right to restrict processing is designed to supplement other areas of data protection, and so it too only arises in certain circumstances. These are:

The key thing to note here is that where any of the above apply and processing is restricted, personal data cannot be processed (other than storage) without the consent of the individual. The GDPR gives some examples of mechanisms to secure the restriction of processing, such as moving the data to another system, making it unavailable to users or temporarily removing published data from a website.

It also makes clear that for data processed in automated filing systems like computer databases, this right should be achieved in such a way that:

Article 20 – Right to data portability

This right is designed to complement the right of access to personal data. It applies to:

In simple terms the right affords the individual the ability to receive the personal data in question ‘in a structured, commonly used and machine readable format’ as well to be able to send that personal data to another organisation and also, potentially, directly from one organisation to another.

The Article 29 Working Party have said that the reference to personal data provided to the organisation by the individual should not be read too narrowly. It could include information observed from the activity of users such as activity logs, history of website usage or search activity.

All of these rights raise key questions for businesses – Bearing in mind the obligations of privacy by design and default, are your IT systems capable of enabling you to comply with these rights? Do you know on what basis you process personal data? This can change how some rights apply or even if they apply at all.

That is all for this series of blogs, but we are looking at other ways of getting more information out there to help people understand the new law, particularly in the automotive sector.

Catch up on part 1part 2, part 3 and part 4 of this 5-part series.

Our Blog for the latest news, views and market intelligence.


Cox Automotive launches vehicle valuation, pricing and retail market insight product

Cox Automotive launches a new product that uses wholesale and retail data to help dealers buy, price and sell with confidence

Read more
News 12th June 2018

Allison Nau on the Live Stage at CDX18 talking Digital Data

Allison Nau, MD of Cox Automotive Data Solutions, was on the Live Stage at CDX18 in Manchester yesterday - find out why...

Read more
News 22nd May 2018

New product. Vehicle Insight helps you buy, price and sell with confidence.

Have you been wondering how your dealership can work smarter and save time? Well, with Vehicle Insight you can.

Read more
Data 22nd April 2018

Webinar = Delivering actionable automotive insight

Hear from our very own Allison Nau, Managing Director of Cox Automotive Data Solutions, as she spoke at Autos + London.

Watch it here
News 3rd April 2018

Sign-up for the latest product insight, news and resources to help you work smarter