GDPR and Enhanced Individual Rights: A threat or opportunity for organisations?

13 Dec 2017

Market research business Forrester has identified that 80% of firms affected by the GDPR will not be compliant with the Regulation when it comes into force on 25 May 2018. Such research reinforces Collyer Bristow’s findings in their industry report on GDPR preparedness that only 6% of businesses are completely prepared for the new data protection rules with now less than 6 months until its introduction.

“Right to Be Forgotten”

Another notable conclusion from the Forrester research is that the “sleeper issue of 2018” will not be compliance but how consumer advocate groups use the GDPR to pursue their agendas using the Regulation’s “right to be forgotten” (the right to erasure) “to exhaust company resources and damage brands”. This right enables an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing. Alongside this obligation is one to take reasonable steps to inform third parties that the data subject has requested the erasure of any links to, or copies of, that data.

The right to erasure does not provide an absolute ‘right to be forgotten’ and data processors can refuse to erase a data subject’s personal data where it is processed:

  • to exercise a right of freedom of expression and information;
  • to comply with a legal obligation or for the performance of a task of public interest;
  • for the exercise or defence of legal claims; or
  • for purposes relating to public health, archiving in the public interest, scientific/historic research or statistics.

Other Rights

In addition to this, individuals have other new and enhanced data protection rights under the GDPR, including the right to rectification, the right to data portability, the right of access and the right to restrict processing. The right to make a data subject access request (DSAR) for disclosure of data held by an organisation about an individual has also been strengthened.

Before businesses are even able to determine whether or not a request to exercise any of these rights can be complied with, they need a clear understanding of what information they hold about the data subject and the legal basis for processing their data.

There is no doubt that dealing with such requests will be time consuming for businesses. There is also a potential risk of damage to their brand if such requests are overlooked or handled inadequately. In tandem with the exercise of rights by individuals, there are large fines which can be levied on businesses under the GDPR for breach or non-compliance.

Threat or Opportunity?

While recognising the risks, organisations should seize upon these changes as an opportunity to get ahead of the competition and be able to demonstrate high levels of compliance and security to customers. There is still time for most businesses to get their ‘house in order’ before the GDPR comes into force so that when (rather than if) a request is made by a data subject it can be handled in the appropriate manner. Businesses that can demonstrate compliance will be able to use this to enrich their brand values and establish a reputation as a business which is taking the lead in the protection of data subjects rights.

Practical Steps

Some of the steps your business can take to prepare for enhanced individual rights under the GDPR are as follows:

  1. Conduct a review of the personal data held by your business: what categories are there (employees, customers, suppliers, contacts etc.); on what basis is each category held; what is it used for; and how long is it retained?
  2. Review and where necessary update the systems in place to manage and store personal data. Data should be easy to search and identify in the event of a DSAR or other request.
  3. Ensure you offer a proper process for individuals to withdraw consent at any time and notify them of their right to do so.
  4. Recognise the new GDPR requirement for transparency in dealing with individuals. Privacy policies, cookie notices and consent mechanisms should be clear, well signposted and unambiguous.
  5. Train staff to identify the various kinds of data requests.
  6. Put in place policies and procedures for handling these requests and for responding to any complaints or breaches.

This article was authored by Nichola Leach and co-authored by Patrick Wheeler, members of the CB Comply team

Additional information