5 GDPR Rights With Serious Technical Consequences

To assure GDPR compliance, most data-driven companies focus on the text’s 99 articles. There are 173 recitals adding further details to this groundbreaking legislation.

Recital 4 highlights the spirit of the law by stating “the processing of personal data should be designed to serve mankind”.

It further emphasizes that “the right to protection of personal data is not an absolute right” and should “be considered in relation to its function in society”, proportionally balanced against other fundamental rights. The text stands for the technologically data driven evolution of mankind, supporting the European Digital Single Market.

Compliance with the GDPR will probably not get us there.

Expect ongoing debates about 1. what personal data is or might not be; 2. what processing is lawful and which rights are being reshuffled. The courts will deal with that in the next evolutionary phase of our societies’ democratic mechanisms.

GDPR compliance should be understood as a minimum basis to achieve the objective laid out in Recital 4, aligning with technology’s promises.

In the meantime, the GDPR lays out in Chapter III the Rights of Data Subjects: citizens, consumers, customers, business partners, employees, you and me.

These data subject rights are not all totally new: Subject Access Requests (SARs) are part of the current Data Protection Directive 95/46/EC. They have been enhanced to reaffirm the integration of data subjects within the data ecosystem, tentatively re-equilibrating that system.

Right of Access

While Articles 12 and 13 lay out the mechanisms for the exercise of their rights by data subjects – the GDPR often reads like a handbook, with even very specific indications like in Article 14 when the data has not been obtained by the data subject – Article 15 lies the basis for what comes next.

It enhances the notion of Right of Access and should be your initial procedural and technical challenge to assure GDPR readiness.

If someone sends you an email to ask what data you have about them, will you be able to respond within a month?

Customer service handles the request: this is about client communication.

Your procedures should answer the following:

1. Will the recipient of the email, stated within the companies’ privacy policy typically at privacy@company.com, pass the request on to customer service, starting the 1-month countdown?
2. How will this client be accurately identified? Which proofs will be requested? (sending personal data to the wrong person is a risk);
3. Which departments are involved, held accountable, for the information gathering exercise? These can include digital formats as well as paper archives. Defining acceptability thresholds related to cost and efforts should be factored in and communicated;
4. How is this information compiled – what is shared exactly? How far does this rabbit hole go? – and made ready for communication?
5. How will the communication flow between the point of contact and said client?
6. Could there be iterations to the requests, and at which point can these open items be considered as closed, if any?

If your company knows which systems are impacted by personal data and how these data flow, the exercise remains manageable. If not, it’s time to get data mapping going!

And while these requests might not come in troves, begging the question of automation, you are expected to respond under the GDPR. The effort for 3 requests a year might seem excessive. Take into consideration the consequences of non-compliance, or worse, silence.

RELATED READING: How to Make Digital Analytics Processing Lawful Under GDPR and ePrivacy?

Right to Rectification and Erasure

The practices mentioned above are a basis for compliance with the next articles.

Article 16 and 17 further enhance the issues that have been previously encountered: if data has been archived and is not readily available, how can they be accessed, let alone rectified or even deleted?

Additionally, think about:

1. Who bears the costs of such requests, particularly if processors or sub-processors are involved?
2. Couldn’t deletion requests misalign with other obligations, where data should be kept for a specified period?

While market forces will hopefully resolve the first question, the second requires involvement of legal counsel to define which other obligations potentially trump the GDPR. Such decisions are then adequately communicated to the client.

Articles 18 and 19 also flow from there with the possibility of data subjects to request for restrictions of processing, on top of assuring that any rectification or deletion is passed on to other legal entities. Typically, if you share data with either systems or other companies, these requests should be passed on. The savvy reader might recognize here a duty of traceability, without which such alignment would be impossible.

Note that the currently debated ePrivacy Regulation, as a sub-set of GDPR, applies these obligations to the digital. An entire discussion is emerging about how, for example, programmatic data can be traced back to its source. Hopefully, robust best practices will emerge …

RELATED READING: How Will GDPR Affect Your Web Analytics Tracking?

Right to Data Portability

Data portability was introduced to avoid consumer lock-in. Companies will probably propose some form of download of customer data, typically in csv format, for the crudest of solutions.
Without clear sectorial standards, imagining how such portability can be of direct use, at least today, remains difficult.

Yet, as mentioned at the beginning of this article, the GDPR is not an endpoint but a minimum baseline to assure rebalancing of the data ecosystem.

The following might inspire some thoughts:

Profiling and the Right to Object

Objection to individual automated decision making, including profiling – possibly one of the most debated data subject rights – is worrying a lot of digital marketing actors. It links up with issues society will face related to increased use of ML, algorithms, etc. in preparation for IoT.

The creative used for the recent CPDP event in Brussels – the mecca of privacy thinking – highlights what this article is trying to tackle: a court using algorithms to define sentences for convictions, as is the case today in the United States.

This is unthinkable under EU law as data subjects have the right to question profiling-based decisions.

RELATED READING: Does “We Don’t Collect PII” Still Work?

Data subject rights & GDPR – What should you prepare for today?

Be prepared for this email where your clients ask what data you have about them.
If you are a data processor, align with the obligations of your customers.

Rights to deletion and rectification flow from this initial capability, where some haggling is needed to define cost and effort boundaries.

Start thinking about what the Right to Portability means for you, keep tabs on what your industry is up to, possibly help define standards.

Stay tuned for more guidance from the EDPS on profiling and initiate discussions about what such GDPR rights might mean for your business.

Clearly these requirements will not be solved in a day, and it’s never too late to get started: we are all trying to figure out what compliance looks like and how to go beyond, supporting customer trust.