09) Can your organisation facilitate an individual's data privacy rights?
Answer yes if your organisation has the correct processes in place to be able to provide the relevant individual data privacy rights to all of the data subjects for whom you hold data (e.g. the right to subject access, the right to erasure…).
Businesses must be aware of how individuals’ rights in respect of their personal data have been defined in law. The data protection legislation in many countries gives individuals (whether these be customers, contractors or members of staff) more control over the ways in which businesses process their personal data.
This has led to the granting of new rights for individuals as well as the enhancement and improvement of rights that existed under previous data privacy regulation.
Legal privacy rights vary depending on which jurisdiction applies to the origin of the personal data and the data subjects you collect data from. However, the following rights should comply with many of the evolving regulations.
- Right to be informed. Do you ensure that all individuals are informed (at the point of collection or as soon as possible after) about what personal data is collected, why it is collected, how it will be used and who it will be shared with?
- Right to access. Do you ensure that all individuals are able to access all data relating to them, including how is has been used and why it was collected, in a reasonable time frame? And can you provide this information in a way that enables an individual to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way?
- Right to rectification. Do you ensure that individuals are able to correct any personal data held or processed about them that is incorrect or inaccurate?
- Right to erasure. Do you delete personal data on request of the data subject, as long as there is no legal obligation to retain the data?
- Right to restrict processing. Do you grant individuals' requests that their data is only processed for minimal, specific purposes, including limiting the disclosure and use of sensitive personal data and the right to remain anonymous (e.g. by using a pseudonym) in certain situations?
- Right to object or opt out. Do you enable individuals to opt out of a particular type of processing (e.g. direct marketing) or object to the processing of their personal data entirely? And do you have a process for assessing each objection request to determine whether it can/should be granted (e.g. there is no other legal basis through which you are required to continue processing).
- Right to fair use of automated decision making or profiling. Do you ensure individuals have a simple way of requesting human intervention or challenging a decision in relation to automated decision making or profiling? And do you carry out regular checks to make sure that your systems are working as intended?
- Right of no retaliation. Do you ensure that there is no discrimination against individuals who choose to exercise their data privacy rights?
- Right to make a complaint. Do you provide an easily accessible channel for individuals to make a complaint relating to their privacy?
How to implement the control
You must ensure that for each case where personal is data stored or processed that you have:
- reviewed the data privacy rights of individuals as legally defined in the country of origin, and
- that you have technical and administrative capabilities which enable you to uphold those rights if legally challenged.
It is good practice to adopt a ‘high bar’ of ethical rights (e.g. as described in the EU General Data Protection Regulation) and ensure that this is at least equivalent to - or can be supplemented with - other jurisdictions’ requirements where needed. This enables a consistent and repeatable standard and approach to data privacy rights across your organisation, minimising complexity and diversity.
If required, a third party data protection consultancy or legal counsel can review your organisation’s data processing activities and either assure, or advise improvements to your practices to support these individual rights.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.
