GDPR – The Challenges and the Opportunity (Part 2): Data Subject Rights

Following our general overview of the GDPR, we will now look at Data Subject Rights – the challenges they bring and how to deal with them.

DATA SUBJECT RIGHTS – THE CHALLENGE

The GDPR strengthens the rights of individuals to be able to fully control their personal data. Those rights will change the daily operation of data and demands also a proper organizational setup and in most cases organizational changes.

As a consequence, about 10 core use cases can be identified that define obligations of an organization towards data subjects:

(Note that there are more duties not directly related to relationships with data subjects, focusing on the duties of data controllers vs. data processors and the transfer of personal data to third countries).

Supply information when collecting personal data

The controller has to provide information to individuals relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. Providing information in the form of privacy policy that are excessively lengthy or difficult to understand is not permitted.

The scope of information that needs to be provided is outlined in articles 13 and 14 of the GDPR, but the controller might be required to provide additional information if the particular situation makes it necessary.

Provide access to personal data on request

In accordance with Article 15 GDPR, individuals have the right of access to personal data. This means that the controller has to provide a copy of the personal data undergoing processing, which needs to be provided free of charge. However, the controller can charge a reasonable, administrative-cost fee, in case of repetitive requests, manifestly unfounded or excessive requests or where additional copies are requested. This right is based on the argument that individuals are aware of and can verify the lawfulness of the processing.

Manage consent for processing purposes if no other legal basis applies

The processing of personal data is lawful only if, and to the extent that, it is permitted under EU data protection law and all data processing activities require a lawful basis, which can come in the form of an individual’s consent. If the processing of personal data is based on the data subject’s consent, the controller has to be able to demonstrate that the data subject has given consent to the processing operation. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent should not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof and it has to as easy to withdraw as to give consent.

Manage rectification of personal data on request

A data subject has the right to demand the rectification of inaccurate personal data concerning him or her from the controller. In specific cases, depending on the purposes of the processing, individuals can ask to have incomplete personal data completed, or to add a supplementary statement.

Manage objection or restriction of processing of personal data on request

While the data subject does not have a general right to object to the processing, there are several situation where a specific right to object exist such as where the processing is carried out for specific purposes, or where the right to object is justified on a particular basis. These cases include where the processing is for direct marketing purposes; where the processing is for scientific or historical but which requires grounds relating to the data subject’s particular situation unless the processing is necessary for the performance of a task carried out for reasons of public interest; and where the processing is based either on legitimate interest grounds (for example, in a case of interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child) or it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The controller must then cease processing of the personal data unless an exemption applies, i.e. the controller can demonstrate compelling legitimate grounds which override the interests of the data subject; or where the processing is for the establishment, exercise or defense of legal claims.

Manage erasure of personal data on request (right to be forgotten)

The right to erasure or the right to be forgotten enables an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing. Again, this right does not constitute a general claim, but targets specific circumstances, which are defined in Article 17 GDPR:

  • The personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
  • The individual withdraws consent.
  • The individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
  • The personal data was unlawfully processed.
  • The personal data has to be erased in order to comply with a legal obligation.
  • The personal data is processed in relation to the offer of information society services to a child.

Notify third parties of those rectification, restriction or erasure 

To address the importance of a data subject’s rights, for instance, in an online environment, the controller is obliged to inform other controllers who are processing the data that the data subject has requested erasure of those data, where the controller has made personal data public, and where it is obliged to erase the data. The controller has to take reasonable steps and account must be taken of available technology and the cost of implementation. The controller must notify any one to whom it has disclosed such data, if the controller has to erase personal data unless this would be impossible or involve disproportionate effort.

Give back personal data on request and allow transfer to other data controllers (data portability)

Where the processing is based on consent or carried out by automated means, individuals have the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. This right to data portability aims to enable the data subject to obtain and reuse their personal data for their own purposes across different services.

Do not base decisions about data subjects solely on automated means

An individual has the right not to be subject to a decision based solely on automated processing, including profiling, if the decisions produce legal effects or similarly significantly affects the data subject. The GDPR gives the example of an online credit application or e-recruiting practices without any human intervention. The regulation also outlines that such processing includes ‘profiling’ that consists of any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her. Exceptions to the rule are possible though in case where the decision is necessary for entering into, or to perform, a contract between the data subject and the controller; the significant automated processing is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or is based on the data subject’s explicit consent.

Communicate personal data breaches (specific conditions apply)

Data controllers have to communicate a personal data breach to the data subject without undue delay if the breach is likely to result in a high risk to the rights and freedoms of natural person. The notification needs to be in clear and plain language and explain the nature of the personal data breach and contain at least a minimum of information such as the name and contact details of the data protection officer or other contact point where more information can be obtained; describe the likely consequences of the personal data breach; and explain the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

DATA SUBJECT RIGHTS – THE SOLUTION

Now that we have the defined the obligations and challenges of the GDPR with regard to the data subject rights, we can think about how to address them. eccenca is a RegTech company whose next generation data management solutions are driving automation and rationalization for metadata management, data integration, analytics and data driven processes.

From a purely technical perspective the eccenca Corporate Memory solution combined with the eccenca GDPR Solution package addresses the data protection function by delivering a granular map of the complete personal data landscape. This map can then be used to identify all personal data of a data subject to fulfil subject access requests (SAR).

The system can answer relevant question for each data subject ID: which personal data items are there, who is the data controller, who is the data processor of those, in which system is each processed, what is the attribute name, what is the processing purpose and the legal basis (e.g. consent). Everything required to handle SAR and to provide full transparency to the data protection officer, without exposing any actual personal data. It does NOT store the values of the personal data, those are only managed in the respective systems.

The complex grid of dependences 

The underlying technology stack is built on RDF graph technology, which can quickly be adapted to evolving requirements. The metadata described is collected from the various source systems either via a standard API provided for this use case or as fall back via an Excel roundtrip.

There is a user interface geared towards the data protection function to explore and search this map and there are APIs and endpoints to access it via third party tools for analytics and reporting.

The complex grid of dependences

The complex grid of dependences

Architecture of the eccenca Corporate Memory – GDPR Solution Package

To internally manage subject access requests the eccenca GDPR solution provides integration with a standard tracking tool (JIRA) to route incoming requests within the organisation.

By doing so, a firm achieves a competitive advantage, increased reliability, and reputation. It also results in simplified data management operations as well as the ability to process across company borders
and get full transparency on data storage.

This in turn means that data processing costs are lowered through simple and fast identification of related data. Operational risk costs are reduced by full transparency and causes a higher turnover based on competitive advantage in personal data sensitive businesses.

The picture is similar from the data subject interaction perspective.  The data protection function of the GDPR requires firms to comply in terms of their duty to supply information, consent management, and the right to object. The eccenca Corporate Memory tags specific data i.r.o. ‘consent’, ‘objection’, or ‘legitimate interest’. It sets rules to identify personal data of children for special treatment in terms of children’s consent. The solution relates ‘consent’, ‘objection’ and ‘legitimate interest’ to respective systems, procedures / processes, and purposes. Again, relations among semantic identical data are built without causing redundancy. The set rules identify data to be of the same kind and generate a report with all relevant information supply.

The value added is both in compliance and financial terms. From a compliance perspective it delivers proof of GDPR compliance and creates a competitive advantage through increased reliability, and reputation. It builds trust and transparency to the data subject. The financial value comes in terms faster and cheaper and more reliable processing of SARs, of lower administrative fines in case of noncompliance, lower data processing costs, no redundant information and higher turnover based on competitive advantage in personal data sensitive businesses.

CONCLUSION

The example of the data subject rights as established by the GDPR clearly shows how a challenging regulatory initiative can be tackled to achieve compliance with a firm’s obligations and achieve cost savings as well as a competitive advantage with the right solution. This is not the end of our guide on the GDPR and the advantages of RegTech. In the next part, we will look at additional obligations of organisations as set out by the GDPR and show how regulated institutions can benefit further from using the right RegTech solution.

 

 


This concludes the second part of our three-part series on the GDPR – you can find the first part here. This post as well as the entire series is the result of our collaboration with eccenca, a software and solutions company. eccenca’s next generation data management solutions are driving automation and rationalization for metadata management, data integration, analytics and data driven processes. By turning ‘strings into things’, eccenca is creating meaningful and machine interpretable knowledge graphs that allow the integrative interpretation of previously siloed data across the enterprise or even throughout value networks. To find out more, go to www.eccenca.com You can meet eccenca showcasing their data management solution at the 2018 Chief Data Officer Exchange and the Marcus Evans 4th Annual Data Quality and Consistency in Banking to find out how they use it to help with the challenges of GDPR.

PlanetCompliance only publishes sponsored content from companies whose products and services we think our audience will find valuable or interesting. For additional information about we handle partnerships and content production, please have a look at the PlanetCompliance Disclosure Policy, which you can find here.