In London’s Piccadilly Circus, an advertising screen the size of two basketball courts detects the ages, genders and moods of passers-by and responds by displaying targeted ads. The process uses facial-recognition cameras hidden behind the Piccadilly Lights billboards to pick out faces in the crowd and assess which adverts might be of interest.
Turning to Chapter 3 of the GDPR, articles 12-23 look directly at the rights of the data subject (an individual whose data is held by an organisation). These days, people want to know that their data is secure and used legitimately, and data controllers will need to be across this crucial area of the regulation as, should they not adhere, large fines could be just around the corner.
The articles break down the rights into a number of areas:
1. Right to be informed
Transparency and choice are two cornerstones of the GDPR regulation. At the outset of any request for data, businesses must be as clear as possible on how they will process data, who will process it, and where it could end up.
The regulation lays out an extensive outline over communications with data subjects in varying areas such as third party legitimate interests and data subject rights. Individuals should be able to contact the data controller with any queries they may have.
2. Right to access
Individuals looking to scrutinise the use of their data by businesses will have the ability under the regulation to access that data and verify the lawfulness of its use. This means that, at any time, data controllers and teams must be able to confirm to individuals that their data is being processed, provide access to all of that data and also any supplementary information which was provided to them at the outset (wrapped up in the Right to Be Informed).
3. Right of rectification
Simply, this article in the data regulation means that any request by an individual to correct inaccurate information held by your business must be done swiftly, clearly and without undue delay.
4. Right to erasure
Once their data has been obtained, there are six reasons that an individual may request for their data to be erased – enacting the ‘Right to Be Forgotten’:
- Their data is no longer necessary;
- The individual withdraws consent due to unlawful processing or that their data falls into a special category;
- Where they may object under the ‘Right to Object’ (more below);
- The data has been unlawfully processed;
- There is another legal obligation due to an EU member state law;
- Or the data relates to consent with regard to a child.
5. Right to restriction of processing
This right is similar to the right to erasure, and it’s another crucial element of the data regulation – the right to restriction clause demands that data controllers must halt processing of data and (with the exception of storage) ask for permission of any of subsequent use of that data. Broadly, the request for restriction from an individual can be for from similar reasons to the right t0 erasure. In addition, the data controller must inform an individual if and when any restrictions have been lifted.
Bringing the regulation full circle, in terms of transparency and clarity, is the obligation to notify an individual for any changes in respect of the rights of rectification, erasure or restriction.
6. Right to data portability
Under the GDPR, individuals have the right to request and reuse data held by a business with other third parties. Essentially, it means that they can take that data and put it to good use elsewhere.
This is particularly important for businesses considering and collecting. If there is usage data, they could feasibly take that intelligence and use it with a third party elsewhere to their own advantage (and potentially your loss!). Yet another reason for businesses to carefully consider what data they need, and how they use it.
7. Right to object
This right bears significant relation to the use of data for direct marketing, and within this clause individuals can object to their data being used for such purposes. Should a data subject object, businesses need to make sure they halt any use of the subject’s data immediately. With a number of further grounds of objection, around areas such as lawfulness or historical scientific data, data controllers must ensure they act swiftly on objections.
8. Automated individual decision-making, including profiling
In some cases, automation can be used within data decision-making, based on variables such as demographics, purchasing habits or location. Here, individuals can object and have the right not be subject to such automation. As automation becomes ever more prevalent, within software, industry and business, this article could unsurprisingly become ever more prevalent.
The GDPR is a far-reaching and complicated regulation, which will have a huge impact on data compliance and usage. It is crucial for businesses to understand exactly what is coming around the corner now to avoid any unwelcome surprises come the 25th of May 2018.