- Published on 11 April 2018
The safest thing to do with GDPR is err on the side of caution. Make sure you have compliant, sensible, secure policies, processes and systems in place. In his latest article on GDPR, Geoff Cooling looks at the rights of the person under the new rule.
Legal basis for data retention and contact
There may be an argument that there is a legal basis for contact if we have sold a person a hearing aid. Service calls or periodic hearing tests may well be seen as necessary contact on a contractual basis. Do you have the cash for a barrister to fight that argument in court? The simplest way to remain legal when it comes to consent to contact and indeed to retain data is simply to get clear consent for all of the reasons we process data or contact a patient. Then there is no question about legality and you have covered yourself.
The nightmare letter
I read an excellent article on LinkedIn by Constantine Karbaliotis who is a privacy expert and a Director at PWC Canada. He adapted a request letter that he had written several years ago to reflect the requirements of the GDPR. He called it the Nightmare Letter and it sent chills down my spine.
The letter lays out implicitly the rights that any person has under the GDPR to request information from any company that has their data. I think it is imperative that we understand this clearly so in this final article I am going to lay out the rights that any person who deals with your company has. Remember, it does not matter if you are a multi-billion company or a sole trader, the GDPR covers you.
Article 15 and right to access
Under Article 15 of the General Data Protection Regulation, any customer of your business has rights to access the personal data that you hold about them. Under article 12 of the GDPR, you have one month to reply to them or they can forward a letter of complaint to the local data protection authority. But what information can they request from you? Exactly what can they ask of you? That is where the letter formulated by Constantine Karbaliotis is hugely enlightening.
Any customer can request an outline of exactly what personal data is held in any files or databases that you own or use. The request for information will include any and all data that you might hold on your information systems, whether or not contained in databases, including e-mail, documents on your networks, or voice or other media that you may store.
Where it is stored
They may also request to be advised where and in which countries their personal data is stored, or accessible from. If you use cloud services to store or process their data, they can ask about the whereabouts of their data and where it has been stored during the previous 12 months. They can also ask for a full copy of or access to any of their personal data you hold and be furnished with a clear explanation of how long you hold their data and why you do so.
Specific uses and third parties
They can ask you to provide a detailed account of the specific uses that you use their data for. They can also ask for a list of the third parties with whom you have shared their personal data. They also have the right to know where those third parties have stored their data and the legal basis for the transference of their data to those third parties.
Profiling and automated decisions
They have the right to receive information about any automated decisions made about them and any profiling of them you undertake. For instance, if you have profiled them as a “consultation no sale” and are sending a letter to them, they have the right to ask you on the logic of that decision and on what basis you are doing so.
They of course have the right to know if any of their personal data has been disclosed inadvertently by you, any third parties or as a result of a security or privacy breach. In this case, you will need to offer a general description of what occurred, the date and time of the breach, the date and time the breach was discovered, the source of the breach, the details of their personal data that was disclosed, your assessment of the risk of harm to them because of the breach, a description of the measures you have taken or will take in the future to prevent further unauthorised access to their data.
Even if you are unsure if their data has ever been exposed, they have the right to ask you what steps you have taken to minimise the risks that it may be. They can ask questions about your information policies and the standards that you adhere to in relation to the safeguarding of personal data you hold. They can also ask about the training you have undertaken in this sphere or the training and policies that you have delivered to your staff.
Backups and security tech
They can ask if you have backed up their personal data, and if so, where it is stored and how it is secured, including what steps you have taken to protect that data from loss or theft, and whether this data backup includes any encryption. They have the right to know whether you have put any technology in place to secure their data and if you have any technology which allows you with reasonable certainty to know whether or not any personal data has been disclosed.
They have the right to know whether you have in place intrusion detection systems, any firewall technologies, what access and identity management technologies you use, whether you use database audit or security tools, or other technologies to track access.
Wide ranging right to answers
As you can see from the preceding paragraphs, people have rights to a wide range of information from you. When I first read the nightmare letter I have to say I was shocked by the amount of information we would need to collate to answer a request for all of the information that the GDPR allows.
I mean the nature of the information is not necessarily business sensitive, however, information such as where your third party partners store their data is not something that up to now we have really considered. I know I haven’t. In fairness, I think we have all been blasé with personal data. I think I would be pretty tech aware and security conscious.
I secure and encrypt any digital device I use, however, I have never thought about database auditing tools or even checked access logs. The GDPR tightens up privacy regulation across the EU and beyond. The key here is that even if a business is not within the EU, if it is dealing with EU data, it needs to be completely compliant with the GDPR.
Software GDPR compliant, are you?
Even if you are using a GDPR compliant software system to handle patient data, that doesn’t mean that you are GDPR compliant. It means that your database system is technically compliant, you will still have to institute processes and procedures to ensure that the way you use the software and how you share information within your organisation and with third parties is compliant. The onus here is on you, not someone else.
Get ready for a request
I think it is incumbent upon us all to ready ourselves for a request. Much of the details that have been raised here can in fact be set out in a generalised document. The questions that may be asked of us are relatively generalised and it is better to be prepared to answer them, rather than receiving a request and panicking.
Remember, each instance that you may use their data for needs to be clearly and implicitly explained in easyto- understand language. We also need to allow them to opt in for some instances and opt out for others. We then need to ensure that we record the permissions and ensure that they are honoured. In this way, we can go a great deal of the way to protect ourselves.