Episode 4 – Individual Rights
The new European General Data Protection Regulations build upon the rights already afforded to citizens in the UK Data Protection Act 1998. In this the fourth episode in our series we are going to be exploring these rights and the SAP Assets that businesses can use to assist their compliance with them.
The GDPR strengthens the protection afforded to EU citizens with regards to their personal data. This strengthening is brought about by the enhancement of individual rights, some of which were already in existence.
The individual rights listed within the GDPR are:
- The right to be informed
- The right of access
- The right of rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- The right not to be subject to automated decision making.
The majority of these rights existed under the UK Data Protection Act 1998 and have been strengthened within the GDPR. However some, such as the right to data portability are new.
As part of your GDPR compliance program it is important for businesses to review their existing procedures, modifying and devising new ones where necessary. The GDPR states that all of the rights should be acted upon in a timely manner, which is taken to mean one month. The consequence of this is that the majority of these rights will require exception based business processes that can operate automatically with the minimum of staff interaction.
The strengthening of individual rights throws up some interesting challenges that businesses need to be aware of;
The right to be informed and the right of access
Data subjects have the right to ask a company if they are processing their personal data and if so, be given information about the data that is being processed. Data subjects could then request a copy of all of the personal data a company holds about them.
These rights pose a challenge; when responding to a right to be informed, businesses should furnish the data subject with detailed information about the categories of data held and the type of processing undertaken. Both the EU and the Information Commissioner have indicated that it is not enough to simply reply “Yes we process your data.” The information required to fulfil the right to be informed could be taken from the Information Audit which was the subject of the episode 2 in this series
Businesses using SAP could use Information Steward to gain visibility across the whole of the data collection and business processes to fulfil the request that way.
Should the data subject request a copy of their data under the right of access, businesses should be mindful that the data may be spread across many disparate systems and geographical locations, maybe in a number of different formats, and is not time bound. That is to say that whilst the GDPR does not make clear whether the right of access concerns the past, the European Court of Justice has a body of case law indicating that access to data may not be unduly restricted by time limits.
Again, SAP centric businesses are well placed. Information Lifecycle Management is capable of ‘hunting down’ personal data across a number of disparate systems from business systems, through data warehouses and out into the archive. Given that there is no time restriction, all of these areas will need to be ‘scanned’ for both current and historical personal data.
The rights to rectify, erase and restrict
The right to access data and the right to rectify inaccurate data are interlinked.
The principle of fair processing puts forth that, the data being processed is accurate. Therefore, as a data subject we must be able to access the data to check its accuracy. Businesses and Data Controllers have an obligation under the GDPR to take all reasonable steps to ensure the data that they hold and process is accurate. Should a data subject request a correction then the Data Controller must ensure that correction is made within a month.
Data subjects have the right to request that their data is not used for certain processes. This request may come about because the processing was based upon the consent of the individual and they have withdrawn their consent. There could also be a situation where a data subject disputes the accuracy of data or a Data Controller requires more supporting evidence before rectifying data. In which case the processing of the data would be restricted until the dispute is resolved or the evidence supplied. In both cases the onus for action is on the business. It is the businesses responsibility to ensure that corrections are cascaded throughout their systems and onto any 3rd party processors to whom the data may have been supplied. Similarly, it is the businesses responsibility to ‘tag’ the data in the case dispute or to restrict processing and pass those tags onto any 3rd party processors.
The right to erasure is an interesting one and also aligns with the principle of data minimisation which is also ensured within the GDPR. Where data is held based upon the consent of the individual rather than a legitimate business interest then the data subject can request that the data is deleted.
Where the data is held based upon a legitimate business interest then the business can refuse to delete the data when requested, however the business must have specified data retention periods so at some point in the future the data will need to be deleted in order to fulfil the principle of data minimisation.
The deletion of data, as with the majority of the GDPR needs to be done in a defensible, secure and provable manner and from all systems. Businesses should ensure that the Information Lifecycle Management software that they use to accomplish all of these tasks is capable of producing audit trails, which of course SAP Information Lifecycle Management (ILM) is.
The right to data probability only applies to the data that a subject has supplied, and not for example to data that a business may have bought from a data broker.
It is easy to see how an export from a data storage unit, formatted as XML would satisfy this requirement. The question for businesses is more around visibility within the system landscape and the automation of requests such as this.
The right to object and the rights around automated decision making may well cause issues for companies who have made use of the large data lakes they have built up over many years and used to develop sophisticated classification algorithms. As a Data Subject, not only do you have the right to request a high level explanation of the algorithm and how it works, but also have the right, where the output of the algorithm significantly affects my life, and to request that my data is processed by a human rather than the algorithm.
This could prove challenging for businesses. Google’s page rank algorithm is now so complex that the Google engineers do not know how it works. With ever advancing machine learning we are already reaching the point where we do not understand how a machine derived classification algorithm works. So businesses may well find it challenging to both explain the algorithm in terms that a layman could understand and have the data processed in a similar manner to that of a human.
As a business you should review your internal procedures and ensure that you have in place mechanisms to fulfil these rights, in a timely and cost neutral manner.
This may well involve investment and implementation of new solutions and/or the development of new reports. In the previous article [link to article 3] we introduced the concept of privacy dashboards. Privacy dashboards provide a means of centralising privacy information for users and recording their preferences with regards to the processing of their information. These dashboards would seem to be the logical place to embed functionality that enables a data subject to enact their rights. Building such dashboards and connecting them to the various business software modules is straight forwards with SAP Fiori or UI5. It is easy to see how doing so would contribute to the principle of fair and transparent processing, fulfilling some of the requirements of the GDPR, and satisfying the Information Commissioner, not to say building a closer more trusting relationship with customers, partners and staff.
Your Journey to GDPR Compliance Series – Missed an Episode? Catch up on demand below:
Stephen Lofthouse MSc BSc PGCLTHE FHEA is a GDPR Consultant with Proceed Group and a member of the International Association of Privacy Professionals. He is an award-winning SAP mentor who has worked globally for a number of years both commercially and in academia.