We’re all consumers for someone. Whether you are a chief executive with a LinkedIn account, a charity worker with a Twitter presence, or a lawyer subscribed to newsletters and conference websites, you are an individual that has signed up and agreed to the terms and conditions of a service.
But when it comes to discussing data protection and the new law which is currently making its way through Parliament, most attention is paid from the perspective of data controllers (those that hold the data), and not as data subjects (those whose data is being held).
We are all data subjects, with rights that we can exercise. It’s important not to lose sight of that. The General Data Protection Regulation – and the UK Government’s Data Protection bill which brings it into UK law – intends to create more accountability, with less bureaucracy. One way towards achieving those goals is to empower individuals to exercise their rights.
These rights give individuals the opportunity to change services, to restrict or refuse automated processing, and the right to be forgotten, among others. They have potential to redraw the accountability between an individual, and the public or private body that controls their data.
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. Providing the processing is based on the individual’s consent or the performance of a contract, and that it is carried out by automated means.
For example, you would have the right to request your energy provider processing your meter readings you submit to generate your bill, to provide those readings back to you in a format that can transfer to another energy provider.
The right to erasure, is also included in the new rights framework. While not as absolute as some would like to scaremonger, it is another important development. When personal data is no longer necessary in relation to the purpose for which it was originally collected or processed, an individual can request the erasure of that data.
A controller could refuse to comply with that request, but would have to come up with a good reason for doing so (for example, defending legal claims; or performing a legal obligation of a public interest task). If no good reason can be provided, then you have the right to have that personal data erased.
Importantly, if the data controller had shared the personal data with other third parties, they have to go to those third parties and inform them about the erasure, unless it is impossible to do so.
Taking our energy provider example again. You’ve decided you are going to switch providers and get that better deal; you could also return to the old provider and ask for your personal data currently held to be erased as it is no longer necessary for them to process that data. That energy provider would have to inform third parties they shared your information with (say a smart meter provider) that your personal data is to be erased.
One right that will grow in importance in the future are the safeguards against the risk that a potentially damaging decision is taken without human intervention. Individuals have the right not to be subject to a decision when it is solely based on automated processing, and produces a legal effect or similarly significant effect on the individual. While this right has its carve outs too, ensuring processing is fair and transparent by providing meaningful information about the logic involved is an important step in holding back the tide of significant decisions rendered unaccountable on behalf of algorithms.
It is vitally important we start to understand how we can exercise our rights. The consumer group Which? published research this month that almost 1 in 5 consumers said they would not know how to claim redress following a data breach. Those statistics suggest a deficit in the public’s understanding of rights that we have, and how to exercise them.
The Open Rights Group is working alongside Which? and others to place in law the power for not-for-profit bodies, such as Open Rights Group, to seek redress “independently of a data subject’s mandate”, if it considers the rights of data subjects have been breached. This optional power, not currently implemented in the proposed law, would improve the rights enforcement framework for everyone.
There are two outcomes for this new data protection law; one guaranteed, one potential. The guarantee is that the lawyer, the chief executive, and the charity worker will understand their responsibilities as data controllers. They have to, and there are enough trainings and seminars out there to remind them of that. The potential outcome is that we will all become data subjects capable of exercising our rights under this new framework. The work Open Rights Group plans to undertake will help the public reach that potential outcome.
Matthew Rice is Scotland Director of the Open Rights Group.
Related posts
Interviews
Comment
Why innovation and marketing are the perfect partners to make changes that matter
With the rapid evolution of traditional marketing and the appearance of digital marketing, technology and innovation has become part of any marketer’s life without the need of working for a…
Transitioning to a four-day week – CEO’s vow to strike a healthier balance in the workplace
I came to Scotland nearly 20 years ago from Ireland, with no contacts but a lot of determination. While Ireland will always be my home, Scotland has given me amazing…
Women Lead: The female-led company championing intuitive working
Over the last two years, the pandemic forced a shift to more remote and flexible working practices. Whilst we might be seeing a “return to normal”, some companies are choosing…
Women Lead: My passion for young people to consider a career in digital
Twenty years ago, I stumbled across my career in digital marketing almost by accident. It was during my honours degree in marketing at Glasgow Caledonian University. I was on work…
Women Lead: Inclusive Silicon Valley cohort gives hope to entrepreneurs from diverse backgrounds
Things are happening on the Scottish tech scene. Big and small initiatives are creating a fantastic ripple effect on the sector, bottom up and top down, thanks to the recommendations…
Women Lead: The story of an entrepreneurial scientist
I first arrived in Scotland over 20 years ago. I had £75 in my wallet and a scholarship offer to do a PhD at the University of Edinburgh. Sometimes I…
Please mind the gap… or healthcare may fall
Imagine sharing a lengthy train journey with others. From beginning to end, imagine how often you might hear ‘mind the gap’ messages about embarking and disembarking safely. Picture how navigating…
Women Lead: My journey from Dragons’ Den to Silicon Valley
Following her appearance on Dragons’ Den, Sheila Hogan, serial entrepreneur, founder and chief executive of digital legacy vault, Biscuit Tin, shares her experience of her time in the Den and…