(Articles 12, 13 and 14)

What it means to you:

• An organisation at the time of collecting personal data needs to inform the individuals of a large number of points relating to what they plan to do with your data, where that data will be processed, how long they plan to hold on to the data and the details of your rights under the GDPR. This notice needs to be in clearly written and intelligible language.
• This information is normally found in the organisations Privacy Notice (some call it a Policy), normally found on their website.
• They have to tell you if they later intend to process the data for purposes other than for which it was originally collected. That means they need to know what purposes the data was originally collected for, and to be able to prove that (Article 13).
• If they did not obtain the data, i.e. if they are processing the individual’s data on behalf of another organisation, they still have an obligation to respond to data requests from that individual (Article 14). The organisation have to provide much the same information as if they had collected the data themselves, and also the details of who they are processing the data for.
• If they did not obtain the data and they wish to use that data in new ways, they must contact the individual (you) and inform them of this.
• If the individual asks, they have to provide the information in a ‘concise, transparent, intelligible and easily accessible form’ within one month of the request, except for some types of data where this can be extended by a further two months if the request is complex or for a large number of items or data (Article 12).
• If the data request is made electronically, it should be fulfilled electronically where possible (Article 12).
• The data must be provided free of charge, except where ‘requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character’ (Article 12).

So what does all that really mean to you?

Well, look at most websites, at the bottom of the page and you will find Privacy Notice or Policy. When you select this you should get a document with all the information you need about what the company does with your data. It should tell you how the collect it, what they do with it, who they share it with, where they store it, how long they keep it, how they dispose of it. They should also remind you of your rights, what the process is for you to get access to your data, who to complain to if you are not happy and who the Data Protection Office or main point of contact is. Wow that’s a lot of information.

The right of data access

(Article 15)

Anybody can ask an organisation if they have personal data concerning them and if so the individuals are entitled to obtain from the organisation (among other things):

• The personal data in question
• The purpose of the processing
• The categories of data
• The identities of all other parties they have already, or will in future, share that data with
• How long they plan to hold your data, or the criteria by which they determine that period
• The existence of any automated decision making, including profiling, a meaningful explanation of the criteria used to make those decisions and the consequences of those automated decisions on the individual

What that means for any organisation (this means companies, retail outlets, online stores, clubs, charities, any company or individual that records your data for a given purpose):

• They need to know all of the places where they store data about an individual
• They need really good records of any occasions where that data leaves the organisation. It’s not just obvious things like credit checking agencies, it’s also things like Mailchimp or passing data to their software developers for analysis
• They need to know what their rules are for keeping data
• They need a good understanding of any profiling tools they use, so, if those are third party software products from vendors outside the EU then ensure that decision making logic is available to them.

This is your right to get whatever information the company holds about you. It is important to note that you can only get YOUR data, not anyone else or any other information that is not deemed to be about you. Ex-employees mostly use this, especially if they have been dismissed for some reason, they think there might be some information about them that will get them some form of retribution against the company, 9 times out of 10, there is not.

The is free as long as it is not excessive or unfounded, then companies can charge a ‘reasonable admin fee’. In most countries the company has one month to reply to your request, although they can extend the time by a further two months if it is a complex request.

The right to rectification

(Article 16)

What that means to you:

• Organisations need to know everywhere in their organisation where data about individuals is stored (paper records, CRM software, line of business software, website database, accounts software, etc.) so that they can update those systems if an individual informs them the data you have about them is incorrect.
• They also need to know everyone they shared that data with, inform them of the corrections required and inform the individual of the details of those third parties. This means it’s vital they have a record of what data has left their organisation and where it went.

This rights allows you to change any information the company has about you if it is inaccurate or incomplete.

The right to erasure (‘right to be forgotten’)

(Article 17)

What that means to you:

• An organisations systems need to allow for the deletion of personal data. That sounds trivial, but many (or probably most) database based software packages (think CRM, line of business and accounts packages) do not allow records to be deleted, only archived or deactivated. They have to action a request to delete immediately, so it’s important to consider how this will be handled if their systems don’t allow deletions. Blanking personal data for an individual’s record may work here.
• Where They’ve made that data public, they are obliged to inform other organisations using that data that a request for erasure has been received.

Now, people think that they can get companies to delete all their information by just asking. You can, if the company has no other legal reason to hold your information. An ex-employee cannot ask a previous employer to delete all their data, the employer can legally keep the information for a number of lawful reasons. If they do not have a lawful reason to keep it, then they must delete you information.

If you enforce this right, the company should tell you why they cannot comply with your request and what lawful reason they have to keep it.

The right to restrict processing

(Articles 18 and 19)

What that means to you:

• An individual has the right to restrict what an organisation does with their information, so they can process it as part of a membership, but do not send advertising material.
• An organisation needs to keep a record of people have blocked certain types of processing and needs to be kept that record and consult it prior to processing data. In most cases, the best way to handle that will be within the software used to manage those processes.
• As with the other rights, they also have to pass the individual’s requests onto third parties you’ve shared the data with.

This is used when you allow a company to have your information but you don’t want them doing a particular thing with it. For example, you have a gym membership, you allow the processing of your data, sometimes by consent others the gym will have a legal basis to have and process it. You do not want marketing material from the gym, so you have restricted what they can do with it.

The right of data portability

(Article 20)

What this means for your SME:

• You need to be able to provide an individual with their personal data in a manner that allows them to easily take that data elsewhere. That data has to be in a machine-readable format, think spreadsheet or export file rather than Word document or PDF.
• If you anticipate a lot of these types of request (i.e. if you are in an industry where customers regular move between providers – e.g. mobile phone providers, banking, utilities to name but a few) then this process should definitely be automated. That may be a reasonably large undertaking as you are likely to need to bring together data from multiple separate software systems (and potentially from paper records too)
• For organisations who anticipate few of these types of request, preparing a spreadsheet of a person’s data manually and then saving it as a CSV file should suffice.

The easiest way I can explain this is when you ‘Port’ you mobile number to another mobile network provider. You are asking the old provider to send all your information to the new provider, so you are using your right to data portability. If you change a gym membership to another gym, you can ask the old gym to send you information to the new one, again data portability.

The right to object

(Article 21)

What this means for your SME:

• The primary impact here is on direct marketing and profiling. If you receive an objection you must stop direct marketing immediately and there are no grounds to refuse. Of all of the GDPR, this is actually the part that is likely to trip up the most businesses as marketing is often done on an ad-hoc basis based on departmental or even individual staff members’ lists of contacts or leads, and also by external mailing houses and automated online mailing tools (such as Mail Chimp or Constant Contact). Ensuring that every one of those areas is aware that a person should not be marketed to is a non-trivial undertaking and is probably best achieved by centralising CRM into a single location or creating a single master list of objectors that all systems can refer to.
• It’s not enough to not market to the individual, you have to also remove them from the profiling process too. So, if you run a report each month of customers who haven’t purchased from you in six months, you need to ensure that any objectors are not included in the data used to calculate who is included in that report. The only way to achieve this in many cases will be to change the way the software that performs those tasks works.

Right, you get an annoying email from a company you have never heard of asking you to buy new windows.. you unsubscribe from their data base, this is objecting to processing your data. That company cannot send you any more emails, if they do, they are in breach of the law.

Rights relating to automated decision-making and profiling

(Article 22)

What this means for your SME:

• If your SME makes decisions about individuals based on automated profiling you must provide a mechanism whereby the individual can obtain human intervention. That means processes that use profiling must also allow for a manual override. This doesn’t apply if the profiling is an implicit part of the service the individual signed up with your business for in the first place (for example if you ran a credit scoring agency, or wrote an activity tracking app).

The best example of the is getting a credit check on you when you want a load or get a new TV on hire purchase. If the check come back against you and you cannot get your loan or TV, you can insist on a person to make the decision and not a computer. Also for profiling, if you hold a store loyalty card, they collect all sorts of data about you and can send you information purely based on your shopping. This is profiling you, you can object to this and they have to stop doing it.

How can CookieScan help with your Rights?

CookieScan is the first cookie management system pop-up that has included your data protection rights. From the pop-up website site owners can now access the ‘request you data privacy rights’ section and directly request one of their data protection rights to the website owners. Any of the above eights rights, plus you right not to sell your data is available. Once you complete the small questionnaire and submit your request, you will receive a verification email. Once your email has been verified, your request is sent to the website owner for them to process.

They might contact you directly for more information, but at least it will get the ball rolling. If for example you request access to your data, the website owner will invoke their own process and contact you directly to get more information about what it is you are after.

CookieScan not only looks after your total cookie compliance, it now help you with parts of your data protection compliance. By having this on your website, you will show your potential customers how seriously you take data protection and protecting their data, more importantly.

Related articles:

• GDPR vs HIPAA – what are the differences?
• Is a GDPR cookie policy really required?
• GDPR and Cookie Laws in Europe – CookieScan Ultimate Guide