Our Flagship Product: Synapse

Your Guide To User Rights & Consent

GDPR is the new standard in Data Protection. When it comes into effect on 25th May 2018, every business in the EU will need to comply with a new set of guidelines that control and protect the data that’s used and collected on a daily basis.

One of the most important obligations you have as an organisation is the requirement to gain consent from your users. The critical words that have been added to this obligation are ‘unambiguous’ and ‘affirmative’ – this means that it is no longer acceptable for inaction or automation to be counted as consent. Your users need to actively opt in, with the ability to see exactly what they are agreeing to and how they can retract their consent if they change their mind.

This is one of the many rights of the individual that have been clarified and expanded to offer a higher level of protection under GDPR. Each addition gives your users the ability to control their data in a new way, which in turn gives you and your business an obligation to comply with this.

The right to be informed

Your users have the right to know about the collection and use of their data. You should provide this to them when you collect their data, though the format this explanation is up to you. This could be via a privacy policy, just-in-time notice or pop-up. No matter what, however, the GDPR states that the information must be easy to read, free and accessible.

The information you are likely to need to provide is:

  • Your purposes for processing their personal data
  • Who you will share the data with
  • How long it will be stored for
  • How they might access, edit or erase any collected data

The right of access

Beforehand, individuals could request access to their information but it was often made difficult by organisations. Now, it must be provided for free and in a commonly used formats. What’s more, if the request has been raised online, the data you provide must also be given in a digital format.

The information you are likely to need to provide is:

  • Confirmation that you are collecting data on them
  • A copy of the data you have already collected, in an easy to use format

The right to rectification

If you have collected inaccurate or missing data regarding a user, that individual has the right to have it corrected or completed. This is especially necessary if the data is misleading in any way. You may receive a request for rectification verbally or in writing, and must offer a response. If you believe the information is not inaccurate, you can refuse to rectify. Include evidence and point them towards the ICO if they would like to escalate the issue.

The action you are likely to need to take is:

  • To record the request, even if given verbally
  • To take reasonable steps to rectify the information within one calendar month of the request
  • To confirm, once completed, that changes have been made

The right to erasure

Often also referred to as the ‘Right To Be Forgotten’, this is not a new concept in Data Protection. Nevertheless, with GDPR the rules regarding this course of action have developed to make things easier on the user. Individuals can request complete erasure of the data that you hold on them in the event that it is no longer necessary for the original purpose, or if they want to retract consent. You are permitted to refuse a request for erasure in certain, very special, circumstances. This could be if you are complying with a legal obligation, operating as an official authority or in the public interest.

The action you are likely to need to take is:

  • To record the request, even if given verbally
  • To take reasonable steps to respond to a request within one calendar month
  • To ensure you have the capability to erase data when required.

The right to restrict processing

In some cases, there will be a legitimate need to retain the data you are collecting. In these cases, a user will have their requests for erasure rejected, but as an organisation you may still need to change the way you handle their data. This is restricted processing, in which you are permitted to store the data that you have, but not use it.

The action you are likely to need to take is:

  • To record the request, even if given verbally
  • To take reasonable steps to respond to a request within one calendar month
  • To ensure you have the capability to restrict the data processing when required.

The right to data portability

With this right, your users have the capability to transfer the data you hold to another IT environment, such as another provider of your service.

The action you are likely to need to take is:

  • To provide the data free of charge
  • To share it in a machine readable, secure and easily accessible format
  • To take reasonable steps to respond to a request within one calendar month

The right to object

Individuals have the right to object to their data being processed for the purposes of scientific or historical research, for direct marketing, and by an official authority.

The action you are likely to need to take is:

  • To stop processing the data unless you have demonstrable grounds that can overwrite the individual rights
  • Direct marketing requests must be dealt with quickly and without charge
  • You must stipulate this right in your privacy notice explicitly and separately from other information.

Rights in relation to automated decision making and profiling

Increasingly, data collection and use is becoming an automated process. This kind of automated decision making and profiling is still covered by the GDPR. This means that you will still have to provide reasoning and gain consent for all of your data processing, as well as making your privacy policy clear regarding this. If all of your decision making is automated, there may be further rules that apply to you.

The action you are likely to need to take is:

  • Understand the data that you collect through automations, and update your privacy policy accordingly
  • Research the obligations you have if all of your data is collected automatically

Zinc is a digital agency that offers support and services while implementing a gap analysis or internal review. We cannot advise on your individual needs, and do not accept responsibility for any non-compliance

To talk about how we can help action the points raised in a gap analysis or internal review, call us today.

Our accreditations - you're in safe hands...

Accreditations

Sponsored for digital
business growth by:

Northampton County Council