Data rights for GDPR – What they are and what do you need to do to comply with them?
The General Data Protection Regulation (“GDPR”), which was enacted in Europe in 2018, introduced dramatic rule changes for companies regarding the way they collect and store data, while simultaneously offering individuals greater control over their personal data. Subsequent legislation, such as the California Consumer Privacy Act (“CCPA”) also has a significant focus on data subject rights and the management of those rights. Companies affected by these and other regulations need to be aware of these rights, how to comply with them, and what happens when they’re ignored.
What data subject rights does GDPR provide?
According to the GDPR, data subjects (i.e. individual consumers) have the following rights:
1) Right of Access: Data subjects have the right to obtain confirmation as to whether or not personal data concerning them is processed; if it is then they have the right to request and get access to that personal data;
2) Right to be Forgotten: Officially called the "Right to Erasure”. In certain cases, data subjects have the right to obtain the erasure of their personal data;
3) Right to Data Portability: Data subjects have the right to receive their personal data from one data controller and to transmit such personal data to another controller;
4) Right to Restriction of Processing: Data subjects have the right to obtain the restriction of processing, applicable for a certain period and/or for certain situations;
5) Right to Object: In certain cases, data subjects have the right to object to processing of their personal data, including with regards to profiling. They have the right to object to further processing of their personal data insofar as such data have been collected for direct marketing purposes;
6) Right to Rectification: Data subjects have the right to obtain the rectification of inaccurate personal data and they have the right to provide additional personal data to complete any incomplete personal data; and
7) Right to Reject Automated Individual Decision-Making: Data subjects have the right to not be subject to a decision based solely on automated processing.
How do these rights affect your organization?
GDPR provides consumers with previously unfathomable protections, and have become somewhat of a gold standard which other jurisdictions have replicated in whole or in part when drafting their data privacy regulations. This shift from organizations having complete control over consumer data has immense implications for both consumers and those organizations. Organizations need to be more transparent with the data they collect and they need to obtain explicit consent from the individuals from whom they collect information; if they don’t then they will be subject to significant financial penalties.
Notably, the legislation significantly alters how users can request access to data. Whereas companies were not previously obliged to show exactly what data they had collected about a particular person, individuals now have the right to submit a data subject request according to their rights, such as access to data the company has on them. The GDPR also eliminates costs of subject access requests, which levels the playing field for historically disadvantaged individuals.
How quickly do you need to respond to GDPR data subject requests?
Under the GDPR, companies have thirty (30) days to respond to data subject requests. Failure to do so could result in a hefty fine of up to 4% of annual global revenue, or €20 million, depending on which figure is higher. Note that this fine, while levied in euros, does not exempt companies outside the EU. You can learn more about whether your company is subject to GDPR by following this link.
How is the CCPA data subject different?
CCPA was generally modeled after GDPR, however it has some significant differences regarding data subject requests, such as:
1) CCPA considers data subjects to be only to residents of California, while GDPR applies more broadly. For example, a tourist from the US whose data is processed by a Spanish company while traveling through Germany is protected by GDPR. A Spanish resident traveling abroad whose data is processed is likely to be subject to GDPR. However a Washington resident driving through California is unlikely to be protected by CCPA;
2) CCPA requires consumers to “opt-out” rather than “opt-in”, meaning that the default position is that California residents give their consent to have data processed, with the ability to withdraw that consent, whereas GDPR requires organizations to obtain consent prior to data being collected; and
3) CCPA requires an additional right for consumers to deny companies the ability to sell their information. Companies must post a “Do Not Sell My Information” link on their website homepage and any other website page which sells data in order to be compliant.
4) CCPA creates a “private right of action”, meaning that a consumer can directly file a claim against a specific company to obtain compensation in limited circumstances. The GDPR does not provide for this private right of action, but does provide the right for individuals to request governing bodies bring class action suits on their behalf
In an ever-evolving data privacy landscape, organizations need to adjust in order to ensure they can quickly and efficiently respond to data subject rights and requests, depending on the jurisdiction and regulation being applied. This may sound like a time consuming and costly task, but it doesn’t have to be. Contact us today to see how you can avoid financial penalties and show your customers that yours is a transparent and trustworthy organization.