by Bhanvi Satija
Since 25 May 2018, citizens living in the European Union have been able to request a copy of their data from any organisation which processes it, thanks to the new General Data Protection Regulations (GDPR) that have come into effect.
Under Articles 12 to 23 of the legislation, the new regulations outline a list of data rights including the right to erasure and the right to withdraw consent from processing.
“The GDPR strengthens personal data rights much more. These rights are explicitly detailed, including the time periods in which organisations need to respond to access requests. It needs to be in a format in which people can use and access it easily,” said Praveeta Thayalan, a solicitor based in London.
The right to erasure
Some of the rights, such as the right to erasure, have already existed before the new GDPR legislation under UK’s Data Protection Act of 1998.
Dennis Holmes, Associate in the Telecommunications, Media and Technology practice at Linklaters LLM, said: “The right to erasure is not a new right, but it is now surrounded by a bunch of other tools that allow individuals to have more control over how their personal data is being used.
“For example, now their data needs to be processed on the basis of consent. Citizens have a right to withdraw their consent, and there are regulations for how easy it should be for citizens to give as well as withdraw permission.”
Ms. Thayalan said that the right to withdraw consent from processing is one aspect of the new law that has organisations worried.
“It’s a lot of work for the companies to go through their entire data set and hard drives and delete a person’s data,” she said.
The GDPR was passed in the EU in May 2016, and came into full effect from May 2018. The legislation applies to all data originating in the EU, i.e. the source of the data is more important than the location of the organisation controlling or processing it. This means that if a company registered in the United States or South Asia is processing an EU citizen’s data, they need to comply to the new regulations.
In Focus: Which rights does the GDPR establish?
The new GDPR defines citizens as “data subjects” and provides them with the following rights to ensure greater control over their personal data:
- The right of access – You can get a copy of your data from any organisation that holds it, or uses it. This copy should be provided to you free of cost, and in a format that is easily usable. For example, if you ask Amazon for a copy of all the data it holds on you, it should be on a USB stick and not a floppy disk. The time period in which they should provide you with this data will vary, but on average it could take up to 30 days.
- The right to rectification – You can request organisations change or rectify any of your data that may be wrong or that you may want to change.
- The right to erasure – You can ask organisations such Google, or even Tesco or Sainsbury’s, to delete all the data they have on you. This is also known as the right to be forgotten.
- The right to restrict processing – You have the right to specify which of your data you do not want organisations to process. For example, you can restrict processing to only your name and age and ask organisations not to process your contact information.
- The right to data portability – You can ask that your data be shifted to another provider, similar to changing your mobile service provider and keeping your same number with your new provider.
- The right to object – You have a right to tell organisations to stop processing any and all data they hold about you. This will obviously impact the quality of services they provide, but if you don’t have a problem with that, the GDPR gives you the means to go ahead. For example, if you ask Tesco to stop using your data as part of their analysis, you might not get emails about their Clubcard deals. But this also means that the next time you are chatting about buying vegetables over WhatsApp, Tesco will never know!