The small business no-nonsense guide to GDPR Part III: The rights of the individual
The rights of the data subject
Articles 13 through to 22 of the GDPR describe certain rights that data subjects are entitled to. In this section we will be covering each one in turn and looking at how they may affect your small business.
It may seem like a sisyphean task to ensure you uphold each right, but as before it needs to be seen as a process rather than a product. Some of the rights will be less relevant to smaller businesses as they are designed to deal with large corporations instead.
Your data processing system should be designed by default to comply with each of these rights. We will also discuss how RealtimeCRM can help you comply with each right where relevant.
The rights of the data subject are as follows:
- The right to be informed
- The right of access
- The right to rectification
- The right to erase
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
The right to be informed
Put simply, you need a privacy notice which transparently and simply explains who you are, what data you are collecting, for what purpose (especially if the data will be used in profiling), for how long will you hold onto the data and finally if you will pass it onto a third party.
You must also clearly state where you got the personal data from if you did not get it directly from the data subject, as well as how the data subject may withdraw consent or complain to the relevant supervisory body.
The right of access
Individuals have the right to access the personal data which you hold on them and any supplementary information. The primary reason for this right is that it allows individuals to be aware of and verify the lawfulness of the data processing which you are doing.
The time limit from the request being made by the data subject to the information being obtained by them is 1 month. For some businesses this could be difficult if they have many customer information requests or a very complex data management system (say, multiple spreadsheets without an efficient reference system) to gather the required information in a timely manner incurring a cost to the business. Unfortunately, under GDPR guidelines you are not able to charge a fee for dealing with an information request so streamlining this process to be as efficient as possible is in your interest.
With RealtimeCRM we want to make complying with the right to access component of the GDPR as simple as pushing a button, in fact that’s what we’ve done. We’ve introduced thebutton on all Contact records. In clicking this button you can download a PDF file with all the information you hold on that Contact. This allows you to quickly and painlessly send this information to the customer, allow them to check its accuracy and whether they consent to you continuing to hold this information. Your data management system shouldn’t be a hindrance to compliance but an aid to it.
As you can see having your data stored electronically in a CRM system like RealtimeCRM can save you a significant amount of time and make compliance a lot easier.
The right to rectification
The GDPR enables individuals to rectify their personal data if it is inaccurate or incomplete. Furthermore, if you have disclosed this inaccurate personal data to third parties you must inform the data subject of these third parties and also inform the third parties that the data is to be rectified and thus made accurate.
Once again if you receive a rectification request from an individual you have one month to comply. Ourfeature within RealtimeCRM can quickly enable you to provide the information requested.
The right to erase
The underlying principle of this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
For most small businesses it will likely apply if the personal data is no longer necessary for the purpose it was originally collected or if the data subject withdraws their consent to process their data, or if the data was unlawfully processed i.e. in breach of the GDPR.
As before, if you have passed their personal data onto a third party you must inform them of the erasure request too unless it is impossible or involves disproportionate effort to do so.
If you have the right system in place you can comply with this requirement of the GDPR without too much trouble. In this case storing your data electronically such as in RealtimeCRM allows you to quickly search for the individual’s record and simply click thebutton. Their data will be removed from the CRM system permanently.
The right to restrict processing
This right enables individuals to stop you from processing their data but you are still allowed to store their personal data.
An example of when this might apply for a small business is if the individual questions the accuracy of the data you hold on them. In this case until they have verified its accuracy you must not do any processing with this data.
The right to data portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. Put simply, they can move, copy or transfer personal data easily from one IT environment to another.
In order to comply with this the data has to be provided in a structured and machine readable format such as a CSV file. From the initial request you have 1 month to comply. If it is particularly complex or you receive many such requests then you may request an extension to 2 months in order to comply. You will also not be able to charge for this service. If you’re not storing your data electronically or if it is stored across many complex spreadsheets this task can be very arduous and time consuming.
With RealtimeCRM however you can simply select the Contact record you want and export it. It will automatically export it as a CSV file, enabling you to pass this onto the data subject who made the initial data portability request without much fuss.
The right to object
Individuals have the right to object to you processing their data on grounds “relating to his or her particular situation”. If you receive such an objection you must cease processing their data unless:
- You can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual.
- The processing is for the establishment, exercise or defence of legal claims.
You must also inform individuals of their right to object in your first contact with them or in your privacy notice. The GDPR states that the right to object must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”.
Rights in relation to automated decision making and profiling
This will unlikely be relevant to small businesses. This is more for your Google’s of the world. Basically, automated decision making means making a decision without any human involvement and profiling means automated processing of personal data to evaluate certain attributes of an individual for example their interests.
If this applies to you then you must:
- Give individuals information about the processing.
- Introduce simple ways for them to request human intervention or challenge a decision.
- Carry out regular checks to make sure that your systems are working as intended.
Documenting your data processing
Article 30 describes in detail the records of data processing which businesses are required to keep. As we have discussed previously there is a less rigorous requirement for smaller businesses but due to the as yet undefined meaning of “data processing is not occasional” in this guide we will assume the full documentation standard applies to small businesses as well.
If you recall back to the section in this guide titled “Thinking about your current data processing”, we went through how to do a data audit of your current data processing system and provided you with a template “The Controller data processing documentation template” with which to record all your data processing activities.
That’s what documenting your data processing is in a nutshell: It’s filling in that template. As we covered in that section, and the template demonstrated, you must document the following things:
- The name and contact details of your organisation and where applicable, of other controllers, your representative and your data protection officer.
- The purposes of your processing.
- A description of the categories of individuals and categories of personal data.
- The categories of recipients of personal data.Details of your transfers to third countries (countries outside the European Union) including documenting the transfer mechanism safeguards in place.
- Retention schedules.
- A description of your technical and organisational security measures.
You can also record additional data such as the location of where the personal data is stored and records of consent if you desire but when documenting your data processing ensure that it is is granular and meaningful.
The purpose behind it is not only to enable you to prove compliance but also get you thinking about whether your current data processing system meets the required GDPR standard. Then to think about what can be improved to ensure it does meet the standards set out in the legislation.
How RealtimeCRM can help you keep an eye on your data processing activities
With RealtimeCRM you can easily increase the granular detail of your data processing . You can use the Activity Notes and Event Log feature which allows you to create an audit trail of your data processing. This could be useful as an extra layer of evidence to help prove compliance with GDPR, should the ICO ever decide to look at your data processing activities.
The Activity Notes appear in every record when you do something to that record. For example, let us imagine you create a new project for a customer. Obviously, you will need to use the customer’s personal data to complete the project. The activity note will appear on the Customer’s record detailing the date, time and other details of the newly created Project, automatically recording this new data processing which has taken place.
Furthermore, the Event Log feature records any activity which has taken place in RealtimeCRM including who did it and when. This might be when a customer record is deleted. In this way you can keep an eye on your data processing activities and make sure you remain compliant and, if needed, prove compliance with the inbuilt data audit trail tools within RealtimeCRM.
Secure by design and default
The GDPR legislation requires you to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities.
In plain language, have you made the personal data you have secure? One of the key features of a secure system would be that it ensures privacy by design. Some of the ways in which privacy risk can increase is if the data you hold is:
- Excessive or irrelevant.
- Kept for too long.
- Used in ways that are unacceptable to or unexpected by the person it is about.
- Not kept securely.
For a small business to ensure your data processing system is secure by design and default is to first describe your information flows.
Next, how do you store your data? If it is kept physically in a filing cabinet then is it locked and who has access to it? What about backups in case of physical damage to the data?
If it is stored electronically, is the data encrypted and once again who has access to the data and are you regularly updating your security software?
The three fundamental questions to ask when thinking about this problem are:
- How is my data secured?
- Who has access to the data?
- What protections are there against damage or unauthorised access?
As a small business you may find it useful to use third party software so you can take advantage of its inbuilt security measures. For example, RealtimeCRM enables you to restrict what different users can see and access. In that way you can protect your customer’s personal data and only allow staff members the absolute minimum access they need to carry out their work. Plus with the Event Log feature you can see if any unauthorised access has taken place adding an extra layer of security.
In addition, all communication between your browser and Realtime is encrypted with SSL. This is the same technology used to secure internet banking.
Do you need a Data protection Officer (DPO)?
As a small business you probably won’t need to have a Data Protection Officer (DPO) unless:
- You carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
- You carry out large scale systematic monitoring of individuals. For example, online behaviour tracking.
If you do decide to employ a DPO their minimum tasks will include:
- To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
- To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
- To be the first point of contact for supervisory authorities and for individuals whose data is processed
Compliance need not be a nightmare
Hopefully, having read this guide and understood the principles behind GDPR you can see its efficacy and that it is not a terrifying iceberg you will run into in May. It’s a process not a product, it will require you to think about the way you process data currently and then ensure that security remains at the foundation of any system you implement. Keeping your customer’s data secure and in that way building trust with them in the long term.
We hope this guide has been useful in untangling what seems like an overwhelming subject. This is not a legal document but our interpretation of the new legislation and how it will likely impact small businesses. The GDPR is not a one size fits all solution and should not be read without the context of the type and size of business you are interpreting it for.
At the end of the day only you know exactly how your business processes data and it will be up to you to incorporate the principles of GDPR into your data processing system.
We’ve also made mention of RealtimeCRM in this guide which we hope can be a useful tool to help you maintain control over your data processing. To learn about how RealtimeCRM can help your business to comply with GDPR and more visit: https://realtimecrm.co.uk/
In fact, if you sign up to RealtimeCRM, in addition to the first user which is on us, any extra users you add will be free for your first month of use. Simply click through the following link: https://app.realtimecrm.co.uk/sign-up/GDPR