GDPR Rights – How does an Owner-run Business Deliver the Rights of the Individual as required by GDPR?
As a Data Controller, which you almost certainly are, it’s your responsibility to deliver the Rights of the Individual when handling personal data. As the owner of a business working away on an amazingly wide range of tasks every day, do you stop and think about dealing with your clients in terms of what the law requires? Probably not depending on your line of business. Obviously, if your business is all about knowing about legal requirements you can happily confirm that you do because you have no choice.
Generally, you will be concentrating on the doing not the thinking behind what you are doing. This is where having devised the best way to handle a task and made a note of it, you can almost go onto autopilot knowing you’ve covered your bases. You can also be confident that your VA, employee or freelancer will also know how you want things done. But that’s a subject for another day and post.
There are 8 Rights listed in GDPR
GDPR lists 8 Rights within its requirements, but owner-run micro businesses need to pay most attention to the first 4:
1. The right to be informed.
My favourite way to consider this is based on what I expect when I hand over my own personal data; I want to know why it’s being collected, by whom, what for and if anyone else will get their grubby paws on it, as a start As an aside, I also resent it strongly if additional unnecessary data is asked for e.g., my date of birth for a newsletter – if that happens, I just don’t subscribe (so don’t ask for data that isn’t necessary. Ever.).
How can you inform those you need to clearly and accurately?
The most obvious way is to have an easy-to-understand Privacy Notice with versions that are appropriate based on who will read it e.g., website users and in-person clients would need slightly different versions. You could include sections to specify different uses or people under each section on your online Privacy Notice and link to that document. There are no fixed requirements as to how you provide the information just that you do.
Don’t forget, if you are using consent to gather people’s data, you take care with explaining what they are consenting to, as well as linking to your Privacy Notice.
Your sense check should be like mine, what would I want to know before parting with your own information…
2. The right of access.
- The starting place for this must be recognising when someone is asking for details of their personal data that you hold. Sounds strange but sometimes it’s not obvious. You may get a cryptic request and it’s not clear what data they want. You can ask for clarification and you must make sure it’s the owner of the personal data before you release anything, or you’ll have a breach on your hands.
- The underlying requirement to make answering these requests is knowing what data you hold and where. This is where your up-to-date Record of Processing Activities will come into its own. Next, you need to have a simple process/procedure (call it what you will) to pull the various pieces of data together. Write your process down – it’s an important piece of evidence of your GDPR compliance.
- The formats you use should be digital and commonly available. For example, a PDF file, Excel CSV or JPG are all fine to use. You decide how best to serve your customer, client, contractor, etc.
- It’s important to remember that you have 1 month to deliver the data to its owner. Failure to fulfil these types of requests are some of the most frequent complaints made to the ICO.
- Finally, make sure you keep a simple record of these requests – an Excel spreadsheet is sufficient, and you are fine to keep such a record of the dates received, completed and the name. You don’t have to delete the entry if you receive a subsequent request for deletion of their personal data as the lawful basis is that it is necessary for your record-keeping under the lawful basis of legitimate interest, in most cases.
3. The right to rectification.
This Right is all about keeping personal data up to date and accurate. This could involve having a membership portal so that members can maintain their own personal data or as simple as sending out an annual email checking that data hasn’t changed. Then following up if no answer is received and keeping your database clean by removing inactive or hard-bounce email addresses. Remember, if they are hard bounces the subscribers aren’t seeing your content anyway.
4. The right to erasure.
This is probably the most well-known GDPR Right. There have been court cases that have made the mainstream media, such as those against Google. It’s worth mentioning that this Right also affects how you word your consents because, as we all know once your data or image is out there it’s virtually impossible to remove it from everywhere. That being said, when you’re holding someone’s, information based on their consent, you have to make it possible for them to have that information removed from your records.
These 4 GDPR Rights will need to be accounted for in your business and have a delivery system built-in. Take the time to consider how it will work best for you and your business before you have to deliver!
The following 4 GDPR Rights are rarer or not applicable for owner-run micro-businesses to have to deal with. You should be aware of them though in case someone requests that you fulfil one for them.
5. The right to restrict processing.
This isn’t an absolute right. It may apply in the event of a legal case pending or being in progress. Your business wouldn’t continue to process the data, but you would still have to hold it until the case was resolved. You may then continue to process the data afterwards depending on the outcome. As you can imagine, such a situation isn’t likely to happen regularly.
6. The right to data portability.
This requirement is more likely to relate to bigger businesses such as banks e.g., in reaction to the Open Banking initiative, for example. It is where you are asked to send the personal data you hold to another organisation for them to provide the same service that you do, in essence. The current situation is that the mechanisms to allow this to happen as still being developed. In the case of your business, where you only hold contact information, the need to move that to another business or competitor is slim. If you have a business where this may be a possibility, then do get advice.
7. The right to object to processing.
The main relevancy of this Right for your small business falls under a different piece of legislation, the Privacy and Electronic Communications Regulation (PECR)and is specifically about direct marketing. The right to withdraw consent and have direct marketing stop is absolute. Getting things like your Unsubscribe process right is essential.
The Right to object to processing as defined in GDPR is only available in certain circumstances such as where the organisation is using your data for tests carried out in the public interest, for the exercise of official authority, for their legitimate interests, for scientific or historical research or statistical purposes or for direct marketing purposes. As you can see, this isn’t likely to apply to the majority of small businesses.
8. The right in relation to automated decision making and profiling.
I’ll use banking as an example again to describe the type of situations where this could apply; when you apply for a loan your application will go through an automated assessment process. If your business uses anything like that, which is feasible if you are a franchisee, for example, you must be able to explain how the automated assessment works and have the decision reviewed by a human being. Your explanation has to be easily understandable by the person whose data you are handling. This right applies where there are significant legal or other effects on the individual and there must be a way to challenge the decision.
So, GDPR Rights – to return to my comment about the 1st Right – what would you want to know or be able to do when it comes to your own (valuable) personal data? That is what’s been built into GDPR. So, take care of the personal data you process. Chances are it’s only in your care because the owner of it trusts you to handle it with care and as you’ve said you will…