This week in the GDPR Overview blog series, we are talking about the last two rights granted to individuals under the new General Data Protection Regulation. These rights are the right to data portability as well as rights related to automated decision making.
In brief, the right to data portability refers to the ability to transfer personal data efficiently and securely between environments at the request of an individual.
Rights in regard to automated decision making refer to any decisions made about an individual's personal data that do not involve any human interaction or involvement. Individuals have the right to be aware of any automated decision making happening with their data as well as to be able to request human intervention and regular checkups made to the automated process.
So how will these rights affect your organization?
Under GDPR, your organization will need to make sure it can provide an individual with a copy of their personal information in a common and machine-readable format. Another computer must be able to import and extract elements of the information as required. Data portability requires that the individual be able to and obtain their data and have it transferred from one system to another for their own purposes.
The right to data portability only applies under certain circumstances:
- To personal data provided to a data controller by the individual (any personal data an organization collects)
- To personal data processed where the legal basis for processing is the individual's consent or for the fulfillment of a contract
- To personal data processed through automated means
The right of data portability does not apply when the organization processing the data is doing so to fulfill a legal obligation or if they're processing the information as part of a task carried out in the public interest.
When a request for personal data comes in, the individual can ask for one of two things. They can ask that their information be provided to them personally in a format they can then provide to the new environment themselves; or the individual can request that your organization transfer their personal information directly to the secondary environment, only if it's possible for you to do so (you are not required to invest in new infrastructure to comply with this).
In either scenario, GDPR states the request must be completed within one month of receipt. However, if the request is complex or if there are multiple requests from the same individual, you may extend this period up to two months longer – provided you inform the requester and explain why the extension is needed.
During the completion of a data portability request, it may happen that other individuals' personal data is contained within the dataset requested. In this case, it is imperative that the organization receiving this data (if it's transferred to them directly or provided to them by the individual) is not infringing on the rights and freedoms of others. These other individuals who did not make the data portability request are essentially prevented from exercising their own fundamental rights under GDPR, therefore the receiving organization must be sure to have a solid legal basis for processing the new data – such as legitimate interests, for example. The receiving organization must not use this new data for their own purposes.
An individual's rights in regard to automated decision-making under GDPR apply wherever decisions are made through automation, with no human involvement. This now includes any profiling activities conducted in relation to the personal data in order to make evaluations and come to certain conclusions about an individual. Examples of profiling can include the gathering of data in order to determine an individual's preferences, to predict their likelihood of making a purchase, or sort them into specific categories for future actions.
In general, the use of automated decision-making is permitted under GDPR, provided that organizations follow basic GDPR principles, such as declaring their legal basis for processing. However, GDPR introduces new restrictions for when any automated decision-making has a potential legal effect or ramification for an individual. In this case, there are only certain instances where decision-making of this nature is permitted:
- When the decision is needed to enter into or to carry out a contract
- When the decision is authorized by a governing law
- When the decision is based on the explicit consent of the individual
If the automated decision-making falls under one of these three categories, the organization must inform the individuals whose data is being processed about the automated decision-making, as well as any profiling taking place. The organization must also put steps in place to prevent errors caused by the automated decision-making as well as to prevent any bias or discrimination that could result from it.
GDPR provides individuals with the right to dispute any decisions made through the automated process and allows them to request a review of said decision. Any individual also has the right to request human intervention into the decision-making process to ensure a correct and fair decision is made. As a best practice, any organization who employs the use of automated decision-making should provide their clients or anyone whose information they may collect with information regarding how the automated process works, the reason for its use, and any possible consequences the individual may expect as a result.
Power to the People
As has been mentioned several times throughout this blog series, the aim of these new rights given to individuals under GDPR is to provide them with more power as to what can be done with their personal data and how it can be done. These two rights discussed today align closely with some of the rights we've previously covered, most notably the right to be informed and the right to access.
In regard to data portability, individuals gain more power over where and how their information is stored and enables them to gain access to this data and have it moved between systems as desired. In the case of their rights in relation to automated decision-making, this provides individuals more power to be informed about exactly what's happening with their data, how certain decisions are made, and how these decisions could affect them. In short, knowledge is power and GDPR ensures that individuals have access to more knowledge regarding their personal data than ever before.
Next week in the GDPR Overview series...
That's all for this week in the GDPR Overview blog series. Next week we will learn what a DPO is, how organizations must deal with data breaches, and happens when you don't comply with the new GDPR.