In this episode of the GDPR mini-webinar series Amar Singh and Chris Payne discuss the topic of data subjects rights.
Download the free accompanying study sheet here.
Amar: Welcome to Cyber Management Alliance’s mini webinar series on GDPR, General Data Protection Regulation, also known as EU GDPR. We are on episode three and we are going to talk about a very interesting, very important topic, data subject’s rights. Each one of us is a data subject and what rights do we have. I am joined today by Chris Payne, Managing Director of Advanced Cyber Solutions. Chris, welcome.
Chris: Hello.
Amar: Ok, so, three fundamental rights… go on.
Chris: Yes, so, under the GDPR, data subjects, who are the people which we’re collecting personal data or information from, have some fundamental rights defined and there's at least three that standout specifically in the regulations. Two of them are not particularly new; they are slightly modified from the Data Protection Act which has been running since 1998 and of course, a different version of that before. Then they’ve got an additional one. So, let’s just work our way through those. The first one is, at any time, as a data subject, you can have your consent withdrawn from data processing. So, Amar, do you get any of those sort of horrible phone calls saying are you owed PPI or anything like that?
Amar: Yes, yes, we all do.
Chris: And you’re probably aware that what you can say and what most people say is, “I don't want you to call me again, remove me from your calling list.”
Amar: Yes, yes.
Chris: So that is a removal of consent and under the GDPR, that’s an enshrined right for data subjects so, we understand that. The second one is what's called the subject access request, that's what it’s more commonly known as, and that's when you can request the data processor to tell you that all the personal information they’ve collected and they’ve processed about you. And then the final one which is completely new and has been discussed, the topic has been under discussion for some time, particularly around things like Google searches and people’s criminal history and background, is the right to be forgotten. So, we have a new right now which enshrines the ability to tell a user teledata processor or controller that you no longer want to be in their automated systems at all. Remove all data about me.
Amar: Excellent, and just to recap folks, this is not a professional legal advice, you must seek your own professional legal advice. These are summary mini webinar series so that we can we help you. There are eight of them and this is the third one, and we can give you some concise, condensed information and the right to be forgotten, Chris, I'm sure you would agree, is going to be very contentious, but this is not the time for it because if you’ve forgotten then how does someone, how does an organisation know that they even knew about you. So, that’s an interesting new one and a loop that we may face in the future but it's quite important. The right to be forgotten is very new and it gives the data subject the right to be removed from all data processing systems in an organisation. But what is this withdrawing consent then? A bit more detail on that, Chris…
Chris: Yes, so, we kind of went through that analogy there; if there’s any instance where you have submitted personal information for any purpose at all, and we have kind of discussed this in the previous episode, if you're receiving a service or a product, irrespective of payment, and you’re supplying your personal information in exchange for that, then you can remove that consent at any time, so you can halt effectively, the processing of your personal information. Now, one big distinction to make is that by halting that processing, it doesn’t mean that the data controller or processer is under any obligation to remove your data. You’ve just asked them to halt it and it could be for many reasons. It could be that you just don't want to use your data anymore, it could be that the data is incorrect. It could be that you disagree lawfully with the way they’re processing it and you’re about to raise it with the supervisory body, which in the UK is the ICO, but it doesn't automatically mean the right to be forgotten. That is a separate right.
Amar: So, yes, I mean we must stress that it is a separate right. If we call them to pause and withdraw consent, they will not necessarily delete or forget you, ok?
Chris: Indeed and there’s two other things that’s really important to point out here as well is that the removal of consent is on a basis of what you’ve consented to. So, if I’ve filled out three forms for three different downloads and I withdraw consent, I need to specify which one and my consent will only be removed for that one. So, presumably I would have to remove consent for all three to be completely prevented from processing that personal information anymore.
Amar: I think, in my opinion, this is really good but I think the data subjects also have to start to understand and take a bit of ownership about the data. You know this is an interesting topic, data subject wise. What’s the final thing, consent withdrawal?
Chris: Yes and I think this is actually a really important point because there is actually a mechanism today for withdrawing consent. Anybody for instance receives spam emails or know that there’s normally an unsubscribe link at the bottom, and that’s something that the DPO and further kind of data protection law across Europe was mandated since 1998, the difference now is that the GDPR is saying that you can withdraw your consent via a similar mechanism to the way you get your consent. So, for example, if you’ve filled out an online form, that’s consent; if you want to remove your consent, you should also have an online option to be able to do that. If you gave your personal data over by telephone, you should also have a mechanism by telephone where you can withdraw that consent. What it can't be though, is it can't be difficult for the data subject. They can’t be asked to jump through lots and lots of hoops in order to remove their consent. It essentially has to be made simple for them.
Amar: Yes, that's very important. Next is Subject Access Request; very interesting changes to this one, Chris…
Chris: And I don’t think this is really a very strange topic to most people. Most people have heard of Freedom of Information Act, most people have seen examples where they can request all the information that’s been processed on them, it's a right that we currently have. What is more important to take note of in this case under the GDPR is the changes, the modifications that are existing law. So, for example, at the moment, if you are to request your personal information from say a large multi conglomerate, they can wait for up to forty days to do it, and they can also charge you an administrative fee to do it as well to cover their costs for going and collecting all this information about you to pass on to you and of course, maybe posting it to you or whatever mechanism by which they used to deliver it to you, they have to cover those costs. Under the GDPR, that wait time has now been reduced to thirty days, so taking away ten days off that lead time, and really interestingly and quite controversially, you can no longer charge an administrative fee.
Amar: Very interesting and that actually introduces interesting challenges, which is for an organisation is the possibility of a denial of service by flooding an organisation or organisations with hundreds, thousands, millions of SAR. Interesting times ahead on this one, Chris…
Chris: Yes, yes, I must admit this is not an idea that I came up with myself unfortunately. I was presenting on this topic and actually an audience member brought this up as an idea and it stuck with me ever since because I think it is a very powerful idea. If you think about the idea of two companies that are competing with each other, what one company could conceivably do is actually create a large number of subject access requests just to divert their competitor away from their regular business. Now, if you’re a small business and you’re being asked for a thousand Subject Access Requests that could be very damaging to your ability to continue your regular business activities.
Amar: I think yes, but I think legitimately also as everyone as data subjects start to realise their rights and they’re going to demand information from the companies. That's going to be a natural flood; you know, companies already under the DPA are facing similar issues, you know where 5-6 years ago they hardly had an SAR, and I know one organisation that has to deal with about one hundred and fifty SAR’s a month right now. So, I think the natural denial of services is also possible; I mean, let's not call it a denial of service but administrative overhead, so anybody listening to this, be prepared for the administrative overhead to ensure that you can meet those legal requirements about responding to SARs. Finally the most important one, Chris, which is really interesting also, the right to be forgotten and we have an invisible man in front of our screen, which is always good fun.
Chris: Yes, yes, took me a while to find that image. So, this is the truly new addition, at least, the wholly new addition anyway to the GDPR over the existing regulations, so, and it’s really important to say that there is a distinction between withdrawing consent and being forgotten. So, if you withdraw consent, you just halt the process; if you asked to be removed, that's taking you out of the system entirely, so there is a distinction. You can’t ask for one and expect the other; you have to ask the both if you want both. So, essentially what we're staying here is that you have the right to request that all information that’s held about you at a data processor or a controller to be removed. Now, data controllers and processors do have a right to object about it if they believe that there are reasons for things like contractual obligations in order to continue processing your data, they can petition that to the ICO. So, let's say for example, you sign up to lease a brand new car, you pay your first month’s payment, you’ve got three years left on it and then you lodge a request to be forgotten from the leasing company. It’s not feasible that should be possible and therefore the leasing company could lodge a complaint to say that. You can't be forgotten in that case.
Amar: That would be good fun but obviously it’s not business and you know, there's no way, I am sure, anybody would allow that because then you don't know that you’re owed money by the customer.
Chris: Indeed and I think the GDPR, much as the bad press that it gets, it’s not there to punish business. It is essentially, and most people will probably find this comical, it is there supposedly to make business easier and so it’s not there to cause fundamental issues like breaking contracts.
Amar: Excellent. So, I mean finally, obviously thirty days, as we have discussed, and you cannot charge an administrator fee so you have to have automation, I think personally, and professionally consider automation and consider optimising your process because as everyone starts to realise their data rights, there’s going to be a natural increase in administrative people, people asking to be forgotten and that’s going to have an interesting overhead in the business, on businesses. So, thank you everyone for listening to our mini webinar series and the next week we’re going to talk about the Security by Design, a very interesting topic. Do listen in and I wanted to thank Chris Payne, Managing Director for Advanced Cyber Solutions and these are Cyber Management Alliance’s mini webinar series on GDPR. See you next time.
