Under the Data Protection Act 2018 (which implements the General Data Protection Regulation 2016) (UK GDPR), individuals (known as data subjects) have the following rights in relation to their personal data:
General principles relating to a right of access – controllers:
- must be clear: information provided to data subjects must be concise, transparent, intelligible and in an easily accessible form using clear and plain language
- must be prompt: information must be provided to data subjects without undue delay but, in any case, within one month (two months for complex requests) and
- can no longer charge a fee to data subjects for providing them with this information save where the request is manifestly unfounded or where the data subject makes excessive requests.
- Right to be informed – controllers will need to put a lot more content in their into privacy notices e.g. information setting out the purposes for processing as well as the legal basis of processing, how long personal data will be stored for and all of the data subject’s rights under the UK GDPR. See What information does a privacy notice need to contain?
- Right of access – not only a copy of their personal data but also supplemental information about the processing e.g. how long you intend to hold onto the data (the envisaged retention period – or if this is not possible, the criteria that will be used to determine this), how the personal data was sourced (if not collected from the data subject), and details of anyone receiving the data in third countries or to international organisations)
- Right to rectification – the right to require controllers to correct any inaccurate personal data, or complete personal data if it is incomplete
- Right to be forgotten – the right to have their personal data erased in certain specified situations (e.g. personal data are no longer necessary for the purposes for which they were collected, or the data subject withdraws his consent and the controller has no other justification for processing it). If a controller receives such a request, it has to notify anyone to whom it has disclosed that personal data, unless this would be impossible or involve disproportionate effort
- Right to restriction – the right to restrict processing of personal data to merely storage in certain instances (e.g., until the controller has verified the accuracy of personal data if the data subject contests its accuracy, or if the controller no longer needs the personal data for the purposes of processing but needs it to defend legal claims)
- Right to data portability – this applies in relation to data processed by automated means. This is an attempt to promote further interoperability between online systems. At the data subject’s request, controllers must (free of charge) provide a copy of all personal data that it processes about the data subject (and which has been provided by the data subject) in a structured, commonly used and machine readable format. This would not apply to personal data that has been provided to the controller by a third party
- Right to object – the right to object at any time to processing which is being done for the purposes of (i) performing a task in the public interest (ii) the controller pursuing its or a third party’s legitimate interests (iii) direct marketing (including profiling to the extent it relates to such direct marketing and (iv) scientific or historical research purposes or statistical purposes.
- Right object to decisions being taken solely by automated means including profiling – profiling is carried out on a data subject’s personal data and is done to evaluate personal aspects about the data subject. Under the UK GDPR, the controller must inform data subjects specifically about any profiling activities that they undertake. Furthermore, personal data which are sensitive (e.g. race, religion, sexual orientation etc) can’t be subject to automated decision making without the explicit consent of the data subject
- Right to withdraw consent at any time – this only applies if a controller is processing personal data using consent as its lawful basis
- Right to be notified of a personal data breach – this only applies to personal data breaches which are likely to result in high risk to the data subjects rights and freedoms
- Transfers outside the EEA – data subjects have a right to a copy of the agreement under which their personal data is transferred outside the EEA
- Right to complain to a supervisory authority (e.g., the ICO) – if a data subject believes that a controller is infringing any of its rights it has a right to lodge a complaint with its supervisory authority.
The UK GDPR sets out certain exemptions to most of these rights so it is important that controllers consider the exemptions carefully because they may not always need to comply.
Failure to comply with data subject rights could carry a substantial fine – the greater of £17.4m (€20m) or (for undertakings) 4% of total worldwide annual turnover. See What are the fines for infringement?
What do businesses need to do?
Businesses need to ensure that these rights are clearly set out in their privacy notices. In addition, they must have procedures and systems in place to enable them to deal with data subject rights. The sanctions alone for non-compliance should be enough to push this to the top of the Board agenda and force businesses to:
- update privacy policies and marketing lists/processes
- develop and implement template responses for data subject access requests (or review existing ones)
- designate or refresh roles/responsibilities for dealing with data subject access requests
- implement regular and ongoing training for staff
- update, upgrade and/or regularly stress test their systems, procedures, processes and policies to ensure that they are robust enough and
- if data portability is applicable, determine how it is going to do it.
If you would like any further information or advice on data subject rights, or the UK GDPR generally, please contact us.
.Disclaimer: This article is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from taking any action as a result of the contents of this article.