GDPR – A Practical Guide for SMBs All you actually need to know about GDPR with real world examples and case studies
Data Subject Rights
The GDPR has given the individual back decision making power over their data. Organisations are now obliged to fulfill certain rights of the consumer. These rights are:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Below is a short guide to these rights along with how you can use the Dataships tool to not only fulfill these rights, but to automate this process saving your organisation valuable time, helping you avoid fines and most importantly build healthy data relationships with your users!
The Right to be Informed
Articles 13 and 14 of the GDPR specify what individuals have the right to be informed about. We call this ‘privacy information’. You should provide your users will the following information:
- The name and contact details of our organisation.
- The name and contact details of our representative (if applicable).
- The contact details of our data protection officer (if applicable).
- The purposes of the processing.
- The lawful basis for the processing.
- The legitimate interests for the processing (if applicable).
- The categories of personal data obtained (if the personal data is not obtained from the individual it relates to).
- The recipients or categories of recipients of the personal data.
- The details of transfers of the personal data to any third countries or international organisations (if applicable).
- The retention periods for the personal data.
- The rights available to individuals in respect of the processing.
- The right to withdraw consent (if applicable).
- The right to lodge a complaint with a supervisory authority.
- The source of the personal data (if the personal data is not obtained from the individual it relates to).
- The details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to).
- The details of the existence of automated decision-making, including profiling (if applicable).
You should provide the privacy information in a concise; transparent; intelligible; easily accessible; manner using clear and plain language.
You should regularly review and, where necessary, update your privacy information. If you plan to use personal data for a new purpose, you must update our privacy information and communicate the changes to individuals before starting any new processing.
When providing our privacy information to individuals, you should strive to use a combination of appropriate techniques, such as using a layered approach; dashboards; just-in-time notices; icons; and mobile and smart device functionalities.
The Dataships Privacy Centre allows you to house all your compliance materials in one place. This includes detailed information for the user from the outset on your company's privacy practices. By having a dedicated resource for privacy you are immediately communicating to the user that privacy is a priority for your company and lays a great foundation to build a healthy dataship with the individual.
The Right to Access
- All Individuals have the right to access and receive a copy of their personal data.
- This is commonly referred to as a subject access request or ‘SAR’.
- Individuals can make SARs verbally or in writing, including via social media.
- A third party can also make a SAR on behalf of another person.
- In most circumstances, you cannot charge a fee to deal with a request.
- You should respond without delay and within one month of receipt of the request.
A subject access request can be made verbally or in writing, including on social media, as long as it is clear that the individual is asking for their own personal data. You cannot charge the individual for your response to their request.
An individual may make the request through a third party or through an online portal as long as you are satisfied that the third party making the request is entitled to act on behalf of the individual. It is the third party’s responsibility to provide evidence of their authority.
If an individual makes a request electronically, you should provide the information in a commonly used electronic format, unless the individual requests otherwise.
If an individual asks, you can provide a verbal response to their SAR, provided that you have confirmed their identity by other means. You should keep a record of the date they made the request, the date you responded, details of who provided the information and what information you provided.
Dataships allows you to integrate all the tools you are currently using in your business. Using our bespoke APIs, users can then view where you hold personal data on them and fulfill their data subject rights. You are giving the user access to their information and encouraging them to manage their data relationship with you. This transparency is a great way to build trust with your users.
The Right to Rectification
Under Article 16 of the UK GDPR individuals have the right to have inaccurate personal data rectified. An individual may also be able to have incomplete personal data completed. You may not charge a fee and you have one month to respond to the request.
The right to rectification can be leveraged to your company’s advantage. By bringing together all the data you hold on your users in one place and offering your users an easy-to-use tool to let them rectify their data you are encouraging them to keep their data up to date. By using the Data Access Gateway you can make this process simple for the user. Any data they change will be changed in the relevant data source meaning when you next reach out to them with an email, call or campaign, the up-to-date data will already be reflected. In addition, this ensures that any internal analysis you are conducting is using the most up to date information
The Right to Erasure
Under Article 17 of the UK GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’.
Individuals have the right to have their personal data erased if:
- the personal data is no longer necessary for the purpose which you originally collected or processed it for.
- you are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent.
- you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing.
- you are processing the personal data for direct marketing purposes and the individual objects to that processing.
- you have processed the personal data unlawfully (i.e. in breach of the lawfulness requirement of the 1st principle);
There are two main scenarios where you must tell other organisations about the erasure request. Where:
- the personal data has been disclosed to others
- the personal data has been made public in an online environment (social networks, forums etc)
You must also endeavor to delete personal data from backup systems. If any backup data cannot be immediately overwritten, you must put this data ‘beyond use’ and ensure it is not used for any reason.
At Dataships, we encourage companies to integrate all the tools that you are using into our tool. This can be third party tools such as salesforce, Hubspot or Zendesk or your own SQL, firebase or other databases. This allows companies to have a clean, structured data environment and makes responding to request easy. Furthermore, we encourage companies to make all the personal data they hold on users available to them. This has a host of benefits including automating erasure requests. When a user requests to delete their data it will also be automatically deleted from all the data sources if is found in within your organisation.
This means you don’t have to spend hours or days searching for the data and can be safe in the knowledge that the erasure request has been fulfilled. And don’t worry, you can build in rules, so you are in charge of what data is deleted and in what timeframe. But remember – unless you need the data to fulfill a legal obligation why would you want to keep it? You’re striving towards having healthy data relationships with your users and you want to hold data on those users that want you to have it!
The Right to Restrict Processing
Article 18 of the UK GDPR gives individuals the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way that an organisation uses their data. This is an alternative to requesting the erasure of their data.
There are a number of different methods you can employ to restrict the processing, such as:
- temporarily moving the data to another processing system.
- making the data unavailable to users; or
- temporarily removing published data from a website.
It is particularly important that you consider how you store personal data that you no longer need to process but the individual has requested you restrict (effectively requesting that you do not erase the data).
The Right to Data Portability
The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine readable format. It also gives them the right to request that a controller transmits this data directly to another controller.
As a controller you must supply any personal data that the data subject has provided to you. This may include:
- mailing address, username, age etc
- traffic or location data
- ‘raw’ data such as smart meters or wearable devices.
It doesn’t include any additional data that you have created based on the data an individual has provided to you. However, however note that if this ‘inferred’ or ‘derived’ data is personal data, you still need to provide it to an individual if they make a subject access request.
This right only applies to personal data. Therefore, any data that you have anonymized or pseudonymized is excluded from scope.
To fulfill this request properly you must:
- Supply the user with a copy of their personal data and/or
- Transmit their data to another controller
- You can either directly transmit the data to the user or provide access to an automated tool that allows the user to manage and download this themselves.
- The data you provide must be structured, commonly used and machine-readable.
At Dataships, we encourage companies to integrate all the tools that you are using into our tool. Through the Dataships Data Access Gateway, users can then view and manage the personal data that you hold on them. This includes our ‘data portability’ tool. By using this, your users can download all the data you hold on them across all your tools in a CSV format. This fulfills your obligation to them and allows your users to automate this request – giving you peace of mind and allowing you to focus on your business.
The Right to Object
Article 21 of the UK GDPR gives individuals the right to object to the processing of their personal data at any time. This effectively allows individuals to stop or prevent you from processing their personal data. Some examples of where an individual may object to processing include:
- Direct Marketing there is rarely any grounds for which you can rely on to refuse this request. However, this doesn’t mean you have to delete the user data and in many cases it’s good practice to retain their data for the purposes of ensuring that you don’t direct market to them again.
- Legitimate Interest if the individual has objected to the processing, it is likely that under the balancing test, the individual’s interests override the legitimate interest?
You must inform the individual about the right to object at the point of first communication with them.
If you found this article useful subscribe to your mailing list below to receive more free resources on to help you build healthy Data Relationships with your users: