Now that we’ve had time to settle down after the frantic activity around the introduction of GDPR in May, we thought it would be a good idea to take a look at how the new regulations have affected us.
In fact, many people believe they did their bit in advance of the May deadline and that was enough. And it does seem to appear that, on the face of it, nothing has changed, but this is definitely not the case.
GDPR was not a one-off event
Even though the press coverage has died down, GDPR is an on-going, permanent journey and organisations must move it up their corporate priority list. In every company, someone needs to take responsibility to ensure compliance on an on-going basis, and to decide, if there is a problem, whether to report it to the Information Commissioner’s Office (ICO).
This is important because, whilst the current remit of the ICO is to help, it does have the power to impose fines in the future for companies that transgress and are deemed to have not taken sufficient measures.
Subject access and right to erasure requests
The media coverage of GDPR virtually stopped after it came into effect on 25 May and we will probably not have a big news story about it until an organisation, that continually flouts the rules, receives a big fine – we shall watch with interest what happens next after the latest breach admission from Dixons Carphone. Nevertheless, there is a lot of GDPR-related activity going on. Many individuals have already taken advantage of the new regulations to submit subject access requests or demand their right to erasure. Unfortunately, many companies do not appear to have implemented any policies detailing how to go about this, and the ICO itself has been poor at providing guidance.
In fact, I contacted the ICO directly for some specific clarification about subject access requests. Sadly, they could not help, telling me that they “believe” clarification is on the way. I do not believe this answer is good enough. They are the ones who need to come up with the clarification, not to wait for it to come from the EU, leaving me to conclude they are not doing a good enough job supporting UK business.
With subject access requests, the perception is an individual can ask for all information being held about them, including the original documents and emails, but things are not as straightforward as that. The requirement for fulfilling the request is to supply the personal data held rather than the much more onerous task of collating and supplying all documentation. It is inevitable that documents will also contain personal information about other individuals, which cannot be released without either the consent of the other party involved or redacting of the documents. Organisations are understandably getting into a flap about these requests as they worry about the possible fines involved if they do the wrong thing, but my advice is to not be afraid to push back where appropriate. Requests can be turned down if they are what the ICO terms “manifestly unfounded or excessive”.
As an example, a charity client of ours has had a problem with an ex-employee who was only employed for 12 weeks, but has been asking for all the emails that mention them. My advice to the client was that the individual was not entitled to so much information.
The difficulty with the erasure of an individual’s information is that sometimes technology goes wrong. It may well be that an individual asks for their details to be erased, but if there’s subsequently an issue with the database and the company restores the most recent back-up data, that person’s details could be put back into the system again.
The French regulator has tried to clarify things by advising companies to keep a list of every erasure data request. In a case where back-up data needs to be restored, staff can consult the list to double-check and erase the details again. However, where companies are asking individuals to consent to this option, the individuals are not consenting, leaving them open to the possibility of getting into further difficulties if back-up data needs to be reinstalled with that person’s data. This is a good example where the data subject’s consent is not, in fact, required as a right of erasure does not need to be complied with if the data is held under Legitimate Interest (LI) and the data subject’s Legitimate Interest does not outweigh the controller’s.