Elevating Users From Products to Customers – The GDPR Data Subject Empowerment
The purpose of the General Data Protection Regulation, GDPR, is to protect and strengthen the rights of data subjects/EU citizens. The law grants data subjects rights whereby data controller, the entity that is collecting personal information, has to reveal the actual identity of the controller, categories of data being collected/processed, the purposes of processing, the recipients of their personal data and for the period for which the personal data will be stored. Data subjects will be able to request rectification or erasure of personal data, withdraw consent at any time and the right to file a complaint. Furthermore, the controller must keep the data subject abreast of progress being made upon their request. The GDPR has the potential of changing how business is conducted on the web forever. Let’s look at these provisions in more detail.
Right to transparent information
The GDPR requires data controllers to provide information to data subjects relating to collection and processing of their personal data in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
Right to access
Data subjects have the right to receive confirmation from data controllers that their personal data is, in fact, being processed and request access to data that has already been collected.
Right to know the identity of the data controller
Data subjects have the right to know the actual identity of the data controller including the contact details of the controller and of their data protection officer if one has been appointed.
Right to know the purpose and the legal basis
The data subject has the right to know the purpose and the legal basis for the collection of their personal data by the controller. In case the controller wants to process data for purposes other than originally stated then the controller must inform the data subject about its intention prior to processing. Furthermore, the controller must disclose the identity of other recipients of the personal data to the data subject. The controller also must inform the data subject if it intends to transfer personal data to a third country.
Right to rectification
Data subjects can request rectification of their data if it is inaccurate or outdated. If errors are discovered then the data shall be corrected without undue delay.
Right to forgotten/erasure
Data subjects can have their personal data erased for the following reasons: when processing is no longer necessary for the intended purpose, consent is withdrawn, an objection is made to the processing and there are no overriding legitimate grounds for the processing, the personal data is unlawfully processed, erasure is necessary for compliance with a legal obligation or when the personal data concerns a child under the age of 16 and has been collected through information society service.
The controller shall communicate to the individual in a concise manner any rectification or perasure of personal data or restriction of processing.
Organizations should ensure that they are able to permanently delete the relevant data.
Right to the restriction of processing
Data subjects can restrict the processing of their personal data when it is inaccurate, processing is unlawful or is no longer needed by the controller but is stored for the data subject due to legal claims, and the individual objects to processing pending verification as to whether the controller’s legitimate grounds override those of the data subject.
Where processing is restricted, with the exception of storage, it can only be processed with the data subject’s consent or if it pertains to legal claims or for the protection of a person’s rights or for reasons of important public interest of the Union or of a Member State.
Organizations may not have this functionality built into their systems and may need to make changes to comply with this right.
Right to data portability
Data subjects can have their personal data/account information transferred from one online service provider to another online service provider/competitor, where technically feasible. This right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Right to object
Data subjects can object to the processing of their personal data. The controller shall cease processing unless the controller can show compelling legitimate grounds for it which override the interests, rights, and freedoms of the data subject.
Organizations have the burden of proof which can be problematic since they rely on their own legitimate interests for processing personal data.
Rights relating to automated decision-making and profiling
Data subjects have the right not to be subject to a decision based solely on automated processing and profiling that significantly affects them. However, such processing is allowed when it relates to a contractual agreement with the data subject provided that appropriate safeguards are in place, it is authorized by law or based on the data subject’s explicit consent.
In short, the data controller must confirm or deny whether personal data is being collected/processed. The data controller must also inform the data subject of the types of data being collected, its exact purpose, how long the data will be retained and disclose the recipients of the personal data. The data subject has the right to rectification or erasure of their personal data. Moreover, if the data controller is using the personal data to generate a user profile and subsequent decisions are made based on such profile, then the data controller must disclose the logic that is being used by their profile making engine. The data subject also has the right to request a copy of their data and/or port their data to another entity. If the data controller is transferring or plans to transfer data to a third country or to an international organization then the data subject has the right to know what safeguards are in place to facilitate a safe transfer. Finally, the data subject has the right to file a lawsuit against the data controller on material or immaterial grounds. The GDPR will turn the user from a product to a customer.