Synapse & GDPR: User Rights & Consent

13th April 2018

All businesses need to be aware of GDPR and the effect it will have on your day-to-day operations. After May 25th 2018, your business may need to entirely overhaul the way it collects and handles data. The first step is ensuring you have the necessary consent you need from your users. It’s no longer acceptable to have consent that was obtained without knowledge, or through inaction or automation. It’s important that you’re clear about what you’re collecting, and the rights that your user has regarding their data.

As an organisation, your priority is ensuring that you are compliant in order to avoid significant fines. Part of this is offering protection for your users, and being aware of the requests that may be made of you in the future.

Every individual now has the following rights:

The right to be informed

Individuals must be able to see what you are collecting their data for before they consent. It can be in a format that suits you and the way you’re collecting the data - a form may have small snippets beside the columns or simply a link to a privacy policy - but you must make sure that it is free, clear and accessible. 

You may need to provide:

  • The reason you are processing your data

  • Who it will be shared with

  • How long you will store it

  • How they can access, edit or erase it

The right of access

Individuals have the right to gain access to the data that you hold on them at any time. It must be provided quickly, without charge, and in a format that’s commonly used. This is expanded to mean that a request that is sent digitally must be returned digitally.

You may need to provide:

  • Affirmation that you are collecting data

  • An easily accessed, free copy of all the data you have collected to date

The right to rectification

In the event that the data you hold has missing or inaccurate information, the person it concerns has the right to ask you to correct or complete it. This is especially urgent if the incorrect data could lead to misunderstandings that disadvantage the individual.

You may need to provide:

  • A response within 30 days

  • A record of the request

  • A confirmation that the data has been changed, or in the event that it is not incorrect, evidence and the details of the ICO.

The right to erasure

If your user no longer consents to you collecting or using their data, or if the purpose it was collected for is no longer valid, they have the right to request that you erase it entirely. This can be refused in certain circumstances, such as if you are a local authority or acting with legal obligation, but in most circumstances you will need to have the capability to entirely remove the data if requested.

You may need to provide:

  • A response within 30 days

  • A record of the request

  • Proof that the data has been removed

The right to restrict processing

In the event that you have the right to deny a request for erasure, the user retains some rights. You do not need to erase the data, but you will need to change the way you handle it. Restricted processing is when you retain the data, but cannot use it.

You may need to provide:

  • A response within 30 days

  • A record of the request

  • Proof that the data has been restricted

The right to data portability

Though you may collect or store data, you do not have the final rights to what happens to it. In the event that your users wish to move their data elsewhere, you must provide this to them.

You may need to provide:

  • A response within 30 days

  • A full copy of the requested data in a free, machine readable and secure format

The right to object

If data is being processed for scientific or historical research, direct marketing or an official authority, individuals have the right to object to its use.

You may need to provide:

  • A separate, explicit caveat regarding this right in your privacy notice

  • Proof that you have stopped processing the data unless you have grounds that override individual rights

  • A swift and free response in the case of Direct Marketing

Rights in relation to automated decision making and profiling

Many marketing and data collection processes are now completed using automation, but is still required to be GDPR compliant. You’re still required to gain affirmative consent and explain your data usage. If all of your decision making is automated, it is likely that there are further requirements of you.

You may need to provide:

  • A section of your privacy policy directly referring to automation

  • Accomodation of further obligations in some circumstances

Insights & Spotlights...

Your login details have been used by another user or machine. Login details can only be used once at any one time so you have therefore automatically been logged out. Please contact your sites administrator if you believe this other user or machine has unauthorised access.