Below, we will detail the GDPR data subject rights as a user of the Disclosure and Barring Service’s (DBS) services, including what a data subject access request (DASR) is and how institutions can efficiently handle these requests.
General Data Protection Regulation
The original Data Protection Law from 1998 was the UK’s first attempt to protect individual citizens’ private information from being used against their will, specifically in the new and growing area of the internet and E-commerce. Yet, after 20 years, the escalated growth of e-commerce and the internet proved it was time for the law to be reviewed and updated. The private information of more people than ever is at stake.
The General Data Protection Regulation (GDPR) in Bristol is the response to a growing crisis regarding the inappropriate use of personal data. It has also added obligations for enterprises in response to data breaches.
Your Rights Under GDPR
An individual’s fundamental rights must be balanced against factors such as legitimate public interest, making the GDPR rights not absolute. That being said, an individual can submit a request to exercise one or more of the rights under GDPR in Bristol.
The rights are as follows:
Right To Be Informed
Companies must provide individuals with clear, succinct, and easily understandable information on what they want to do with their data. Articles 13 and 14 detail the necessary information to be presented upon request.
The information is termed “private information”. It includes the name and contact details of the organisation, the representative, the Data Protection Officer, the purpose of data collection and processing, the legitimate interests for processing, retention periods and others.
Right of Access
An individual can access personal data, or subject access, upon request. A subject access request is constructed from the company either verbally or written, and the company has a month to respond.
In most cases, the organisation is not allowed to charge a fee to the individual to deal with the request.
The right of access provides individuals with the lawful right to a copy of their personal data and other supplementary data. This right helps people understand why and how the company uses their data and ensures it’s within the law. The request can only cover personal data. Individuals are not authorised to request access to information associated with other people.
Right to Accuracy
Under GDPR Article 16, personal data subjects have the right to correct inaccurate personal data or have it finished if the information is not complete. They can request written or verbal rectification, and the company has one month to make a formal response.
Certain circumstances allow companies to refuse the individual’s request for rectification. As this right is in connection with the data controller’s obligations under the GDPR accuracy principle, see GDPR Article 5(1)(d) for the complete information.
Right to Erasure
Also dubbed “the right to be forgotten,” the right to erasure gives individuals the power to request their data be erased. The request can be submitted either written or verbally, and the company is given one month to respond. In some cases, an individual’s request can be denied, making the right to erasure not absolute.
Right to Restrict Processing
An individual has the right to request the restriction or suppression of their personal data. This is not absolute, and individuals can only request a restriction of processing in certain circumstances.
Companies can still store the data without use and must respond to a processed request within a month.
Right to Data Portability
People can acquire and employ their personal data for reasons of their choosing. It allows for the safe and secure transference of personal data online. However, it only applies to data that an individual has already provided to a controller.
Right to Object
Individuals can prohibit their personal data from being used against their wishes for marketing purposes. The right to object is absolute and must be considered and processed. However, other objections are not clear-cut; requests can be denied under some circumstances.
In these other circumstances, the controller must prove a compelling justification for using and processing personal data. Only then can they conceivably continue to do so.
Right in Relation to Automated Decision Making and Profiling
Automated profiling and decision-making (those not involving humans) are covered under the GDPR in Bristol. An individual has the right to this information if a controlling entity holds it. If the information gathered from automated profiling significantly affects the individual, the GDPR grants that individual additional protections under article 22.
The controlling entity must prove that its processing comes under GDPR Article 22. If it does, the entity must inform the individual of the processing, and they must take steps to ensure it’s easier for the individual to challenge the decision made through automation.
Data Subject Access Request (DSAR)
A data subject access request (DSAR) is a submitted request made by an individual to exercise one or more of the rights outlined above. Under the GDPR in Bristol, data controllers must uphold certain rights of the individual.
Paraphrasing, the GDPR states that “an individual has the right of access to personal data, and to easily exercise that right while aware of the lawfulness of the processing.”
How To Handle a DSAR
First, you’ll want to determine how your company is to receive DSARs. The process doesn’t have to be overly complicated. The decision should factor in how much data your organisation collects, what your business entails, and how often you expect to receive DSARs.
Ultimately, you will want to ensure compliance with data subject rights. It is crucial to this step to understand what data you collect, where it is stored, and what purpose it serves.
An automated data classification and discovery system would make an excellent investment. It would ease the processing and simplify identifying the subject and the subject’s data.
What To Do When a DSAR is Received
As your legal obligation to respond to a DSAR, procedures must be in place to address them. This includes providing an individual with knowledge on the processing and copying of their personal data. Full transparency is required; the individual must know how you acquired the information and its expected use.
According to the GDPR, a data controller must provide eight pieces of information to the data subject:
- The personal data involved
- What is the purpose of processing the data
- Who will receive it
- How long it’s intended to be stored
- What steps are needed to request an erasure, restriction of processing, objection of processing, and data rectification
- The right to lodge a complaint
- How you collected the data
- Whether data collection was via human or automated decision-making
Refusing a DSAR
You can’t outright refuse a data subject access request. If you have solid grounds for why you should deny an individual’s request, you can refuse to comply with a DSAR. However, you must clarify your reasoning and follow up within 30-days.
Regardless, it would be best to avoid refusing requests that could find your organisation in legal trouble. Before doing so, ensure you have irrefutable reasoning to refuse a DSAR.
GDPR Penalties and Fines
Following Brexit, there are now two versions of the GDPR that UK organisations might need to comply with; the UK GDPR and the EU GDPR. The UK GDPR in Bristol applies to the processing of the personal data of UK residents. The EU version continues as before, processing EU residents’ personal data.
GDPR fines in the UK and EU vary based on the level of infringement. Lower-level UK GDPR fines range at a maximum penalty of £8.7 million (EU at €10 million) or 2% of annual global turnover -whichever is greater. These fines are issued for infringements of articles 8 (conditions for children’s consent), 11 (processing that doesn’t require identification), 25-39 (general obligations of processors and controllers), 42 (certification), and 43 (certification bodies).
Organisations will see a higher level of UK GDPR fines of up to £17.5 million (EU at €20 million) or 4% of annual global turnover. These GDPR fines in the UK are issued for the infringement of articles 5 (data processing principles), 6 (lawfulness of processing), 7 (conditions for consent), 9 (processing of special categories of data), 12-22 (data subjects’ rights), and 44-49 (data transfers to third countries or international organisations).
Not all infringements lead to GDPR fines in the UK. The Information Commissioner’s Office (ICO) can take other actions, such as issuing warnings and reprimands, imposing bans on data processing, ordering the rectification, restriction, or erasure of data, and the suspension of data to third-party countries.
It’s also essential for employees to be aware that the company does not shield them should they use a data subject’s information for anything other than that to which they have obtained consent. With such disregard for data privacy, they will likely be fined, for which they are personally liable.
In case of a data breach, a company has 72 hours to notify ICO or face a steep GDPR breach fine in the UK.
How To Avoid GDPR Violations
It can be challenging to understand what constitutes a violation of GDPR as the legislation terminology is deliberately ambiguous. The purpose was to create flexibility in the system. That, and to differentiate between intentional attempts to disregard the regulations and those errors made while attempting to adhere to GDPR compliance.
Most GDPR fines in the UK are violations concerning Articles 5, 6 and 32.
Article 5 (data processing principles) states that an individual’s personal data must be:
- Processed lawfully, fairly and transparently
- Collected only for specific legitimate purposes
- Acceptable, applicable and limited to what is necessary
- Factual and, where required, kept up to date
- Stored only as long as necessary
- Processed in a way that ensures appropriate protection
Article 6 (lawfulness of processing) states that collectors can only process personal data:
- If the data subject grants consent
- That meets contractual obligations
- That complies with legal obligations
- To protect the data subject’s vital interests
- For tasks in the public interest
- For the legitimate interests of the organisation
- Article 32 (security of processing) requires information controllers and processors to implement “suitable technical and organisational standards” to ensure the personal data they process.
UK GDPR fines are normally due to gross misconduct. Avoiding the violation of these articles requires GDPR compliance. An organisation should care about the privacy and protection of individuals’ data. Your attitude towards this sentiment is what will help your organisation avoid or incur any penalties in the future.