In the week of May 20th our inboxes got absolutely deluged with email after email telling us how important we all were, please don’t go etc… It was a desperate attempt to keep you on side, and enable them to keep on communicating with you….
But then this week our “unsubscribe rule” folders are still bursting with emails, and we see this new sentence: “We believe as you are a (enter the chosen phrase…) there is a legitimate interest in receiving these emails.” This is understandable, email has been a worthwhile marketing tactic for people to keep informed.
But did we miss something? Were we all so concerned about just getting consent? We don’t think there has been enough focus on the key thing that GDPR has given us, and that is greater influence of how WE can control our data.
The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure, or the right to be forgotten
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
So to focus on two things:
a) The right to access
Individuals have the right to obtain the following from organisations:
- confirmation that you are processing their personal data;
- a copy of their personal data; and
- other supplementary information – this largely corresponds to the information that you should provide in a privacy notice
As a business, the GDPR states that you respond to a subject access request without undue delay and within one month of receipt. Also, the GDPR does not specify how to make a valid request. Therefore, an individual can make a subject access request to you verbally or in writing. It can also be made to any part of your organisation (including by social media) and does not have to be to a specific person or contact point. Wow…! So literally, ANYONE who is in your business could be asked to help deal with a subject access request!
b) The right of erasure, or the right to be forgotten
Never mind the “unsubscribe” button…. You now have the right to be “forgotten”. And Individuals can make a request for erasure verbally or in writing. If your organisation receives a request, you have one month to respond. When does the right to erasure apply? The ICO guidelines state:
Individuals have the right to have their personal data erased if:
- the personal data is no longer necessary for the purpose which you originally collected or processed it for;
- you are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
- you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
- you are processing the personal data for direct marketing purposes and the individual objects to that processing;
- you have processed the personal data unlawfully (i.e. in breach of the lawfulness requirement of the 1st principle);
The ICO offers more information here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/
So the summary here is that as businesses and organisations, if we value our reputation, did we do enough to educate and inform our employees about this important shift in data access and the power the individual has? And what about new employees, will this be incorporated into new induction training?
At this stage, it is still early days for GDPR and to date the ICO seems to be placing the onus on the consumer to take responsibility for their data. It will only be a matter of time before we see how hard the ICO comes down on businesses that simply ignore subject access and right to erasure requests.