The area of individuals' rights under the GDPR is somewhat of a minefield, both for businesses and the individuals themselves. The arrival of the now 2-year-old GDPR not only enhanced existing rights and introduced new rights; it also brought a new level of awareness and activity for individuals. Since then, however, there has been relatively limited guidance published on this important issue. Generally speaking, the past two years has seen more questions than answers around individuals' rights. We look towards future guidance in this area and consider some of the burning questions businesses face.
Getting DSRs right
In January 2020, the 'Head of Activities – Information and Communications', Greet Gysen, at the European Data Protection Board (EDPB) published a blog post titled 'Getting data subject rights right'. This post signalled the forthcoming arrival of guidelines dealing with a topic of particular interest and relevance to practically all businesses – data subject rights (DSRs). Until this point, many of the guidance documents issued by the EDPB had been quite sectoral and specific, but these guidelines would address a topic of broad interest.
In preparation, the EDPB undertook an initial stakeholder event, followed by workshops attended by NGOs, business and professional associations, together with attendees from academia and the corporate world. It held sessions on DSRs including access, restriction, erasure, and objection. The draft guidelines have been developed with the input from the workshops and are to contain practical examples from stakeholders, include guidance requested, and address specific questions raised.
The draft guidelines were slated for adoption by the EDPB, and published for the final 'public consultation' phase, in or around March/April 2020. However, as the COVID-19 pandemic took hold, the EDPB had to cancel the scheduled plenary sessions and understandably redirect its efforts to coping with the data protection fallout from the pandemic. Unfortunately, the eagerly-awaited draft guidelines remain on hold.
By far the most exercised right, and the one subject to the most complaints, is the right of access. This appears to be reflective of the EDPB's experience in developing the draft guidelines and the right of access is expected to take centre stage. While this right has been in existence long before the arrival of the GDPR, there remains a lot of uncertainty on the scope of this right and the corresponding obligations.
These issues are particularly acute in the context of contentious employment-related requests for access. Some such questions that remain unanswered include:
What constitutes an abusive or excessive request?
Can you ask an individual to reasonably clarify or narrow the scope of their request?
How do you address a case where providing access will negatively affect others?
What is accepted as reasonable and proportionate searches carried out?
Which ways are appropriate to provide the personal data to the individual in response?
Currently there is some guidance from individual regulators across the EU. For example, the UK regulator, the ICO, has helpfully shed some light on the concepts of abusive and excessive requests. However, many of these burning questions are yet to be addressed head-on. As a result, businesses have been struggling to understand what is expected of them in complying with this right.
Education and clarity
The EDPB's stakeholder event and workshops also identified that individuals were often unaware of the differences between rights, the scope of a given right, or the consequences of exercising each right. A further issue was the lack of understanding of the relationship between certain rights. For individuals, understanding the rights in the GDPR is undoubtedly daunting. The draft guidelines are expected to include practical examples to clarify these points, including when and how certain rights apply and the limits/exemptions applicable in each case. From a business perspective, this is also important, as miscommunication and misunderstanding around rights is often a source of complaints to regulators.
The right of erasure, for example, arguably requires an individual to understand and identify the specific ground for erasure being relied on. Moreover, a business has the right to refuse erasure in certain cases, such as where the information is needed for legal reasons. Equally, the wording of the right to object also suggests that the individual must specify grounds specific to his or her situation to make the objection.
For these rights, businesses and individuals alike need more clarity and structure around what the GDPR actually requires and permits. Until the draft guidelines are issued, stakeholders remain somewhat in the dark.
If, as a business, you are struggling with understanding and dealing with DSRs, you're not alone. The events and workshops undertaken by EDPB in preparation for the draft guidelines have shown just how much of a minefield DSRs represent and how many open questions there are. We hope to see the draft guidelines issued in the near future but, until then, here are some key takeaways for handling DSRs:
Recognise and deal with requests as soon as they are received.
If there are reasonable doubts as to the individual's identity, seek appropriate verification of who they say they are at the outset.
Liaise with the individual in writing to clarify the scope and limitations of their right(s) under the GDPR.
Identify any issues or misunderstandings on either side at an early stage.
Respond to the request, at least in part, within one month of receiving it.
If preparing the full response will take more than one month, communicate this to the individual and explain why.
When providing the full response, clearly explain your response to the individual and seek to engage with follow-up questions.
Originally published 18 June, 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.