GDPR Part #2 — User’s rights and checklists
The GDPR is a set of rules that collets principles and best practices already existing for a while. This document lists those principles and best practices and explains how to be compliant with GDPR, providing concrete checklists and action plans. It doesn’t substitute the work of a compliance lawyer, or a DPO (Data protection officer) that is recommended to consult if the company collect and process PII (Personal Identifiable Information), particularly, if those data are sensitive like medical record and financial data.
Part #1- Takeaways and Action Plan
Part #2- GDPR user’s rights and checklists
Part #3- Privacy and Security by design and checklists
Part #4- List of resources where this document comes from
NOTE: For a quick consultation, if you are already familiar with GDPR, I put the takeaways and action plan at the beginning in part #1 and jump on part #2 and #3 if you want to deep dive on the checklists.
The aim of this document is to: a) give an overview of what GDPR is; b) clarify concepts that can apply to GDPR and are mostly misunderstood; b) provide a step by step guide to creating a self-regulatory framework within your organization.
The target audience is small and medium companies that are starting their business and are still not well informed about GDPR and need a guide on how they could start dealing with this topic. This document can be also handy to the responsible for the compliance that wants to build up the knowledge base within the organization. Finally, this document is for all the others that are still disoriented and want to know, where GDPR come from, and its implications at technical and business process level.
5. GDPR user’s rights and checklists
[Image]: taken from Blinking website https://blinking.id
The GDPR consists of 99 articles, those articles identify 8 user rights that the EU regulation intended to strengthen. Following, I have described those rights along with a checklist of actions to be taken, in order to guarantee them within the context of IT systems or web applications.
1. THE RIGHT TO BE INFORMED
Be transparent about how to collect and process personal information, and the purposes that you intend to use it for. Inform your customers of their rights and how to carry them out. This is full disclosure during the onboarding process in an application, and/or written on the website. Provide privacy information to users when you collect their data:
· how you collect them, what data is collected? how is this done? or how is it used?
· where the data are located? Spreadsheets, emails, DB
· which is the retention periods for that personal data?
· who it will be shared with (3rd parties)? this information should be displayed
· how to communicate your privacy notice: using layering/ dashboards/ just-in-time notices.
· consider user testing as a way to get feedback on how effective the delivery of your private information is.
· inform your customer in case of a data breach. The notifications must be done within 72 hours of first having become aware of the breach
· put procedures in place to effectively detect, report, and investigate a personal data breach
· give customers control of their data. Log out should be easy as login
2. THE RIGHT TO ACCESS
Your customers have the right to access their data. You need to enable this, either through a business process or through technical means
· define a policy for how to record requests you receive
· define a process that can satisfy the request by 1 month
3. THE RIGHT TO RECTIFICATION
Your customers have the right to correct information that they believe is inaccurate
· define a policy for how to record requests you receive
· define a process in place on how to rectify the data by a month
4. THE RIGHT TO ERASURE
You must provide your customer with the right to be forgotten
· define a policy for how to record requests you receive
· define a process in place on how to delete the data and how to respond by a month
5. THE RIGHT TO RESTRICTION OF PROCESSING
Individuals have the right to request the restriction, or suppression of their personal data, in the case your information is not accurate anymore. This is not an absolute right and only applies in certain circumstances. When processing is restricted, you are permitted to store the personal data, but not use it.
· define how to recognize a request for restriction and you understand when the right applies.
· define a process in place on how to rectify the data and how to respond by a month
6. THE RIGHT TO DATA PORTABILITY
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes, across different services. Allow customers to move, copy, or transfer personal data easily from one IT environment to another, in a safe and secure way, without affecting its usability
· you need to enable machine and human-readable export of your customers' personal information
· define a process in place and methods to transmit to the customer's personal data within a month
7. THE RIGHT TO OBJECT
Your customer has the right to object to you using the data for the processing of their personal data in certain circumstances. Individuals have an absolute right to stop their data from being used for direct marketing.
· define a policy in place for how to record the objection and respond by a month
· define a process in place to stop processing the data
· write information in your privacy notice about individuals’ right to object, which is presented separately from other information on their rights.
8. THE RIGHT REGARDING AUTOMATED DECISION MAKING
The automated decision-making is the process of making a decision by automated means without any human involvement. These decisions can be based on factual data, as well as on digitally created profiles, or inferred data
· your customer has the right not to be subject to a decision, based solely on all automated individual decision-making and profiling
· carry out a Data Process Impact Assessment (DPIA), to consider and address the risks before we start any new automated decision-making or profiling.
· tell your customers about the profiling and automated decision-making carried out. What information do you use to create the profiles, and where do we get this information from.
· use anonymized data in our profiling activities.
5.1 Regulation within the different countries
[Image]: taken from Blinking website https://blinking.id
Organizations which have EU sales offices, which promote or sell advertising or marketing targeting EU residents will likely be subject to the GDPR — since the associated processing of personal data is considered to be “inextricably linked” to and thus carried out “in the context of the activities of” those EU establishments (Google Spain SL, Google Inc. v AEPD, Mario Costeja González (C-131/12)) (20)(25).
Non-EU “established” organizations that target or monitor EU data subjects. will be subject to the GDPR where they process personal data about EU data subjects in connection with:
· the “offering of goods or services” (payment is not required); or
· “monitoring” their behaviour within the EU.“Monitoring” specifically includes the tracking of individuals online to create profiles, including where this is used to make decisions to analyze/predict personal preferences, behaviours, and attitudes.
· for an offering of goods and services (but not monitoring), mere accessibility of a site from within the EU is not sufficient. It must be apparent that the organization “envisages” that activities will be directed to EU data subjects.
· contact addresses accessible from the EU and the use of a language used in the controller’s own country are also not sufficient. However, the use of an EU language/currency, the ability to place orders in that other language and references to EU users, or customers, will be relevant.
It is not clear whether non-EU organizations offering goods and services to EU businesses (as opposed to individuals) will fall within the scope of the “offering goods and services” test in Article 3(2)(a).
5.1 Regulation versus national law
As a Regulation, the GDPR will be directly effective in the Member States without the need for implementing legislation. However, on numerous occasions, the GDPR does allow the Member States to legislate on data protection matters. This includes occasions where the processing of personal data is required to comply with a legal obligation, relates to a public interest task, or is carried out by a body with official authority (26).
·National data protection authorities will continue to exist. They must co-operate together and with the European Commission and monitor the application of the GDPR.
· they must act independently.
· members of supervisory authorities must be appointed in a publicly transparent way and be skilled in data protection.
5.2 GDPR as a value proposition
Although can be challenging to be compliant with GDPR, it brings new habits and positive effects on an organization’s internal users, and external customers.
1) Improving data consistency, users are more conscious of the data they want to provide. They will understand the value of their data….“If you’re not paying for the product, you are the product.” Consumers will soon realize that businesses see their data as a capital asset.
2) GDPR mandates that users data are portable. If consumers want to switch service providers all they have to do is ask you for a copy of their data in a portable format, which they can then pass on to their new provider.
3) Collecting data on an opt-in means that the data collected belongs to the target segment interested in your product/service. No “spray and pray effect”.
4) The need for GDPR compliance forces allocate the budget wiser.
5) GDPR forces to embrace the concept of data privacy as part of corporate identity and competitive advantage.
6) GDPR, businesses that want to be competitive, will have to give consumers more options, possibly with varying combinations of pricing and data sharing. The winners will be the ones that give consumers the most value from the exchange.
Continue reading
Part #1- GDPR definitions, key take ways, and action plan
