Articles 18, 19 and Recital 67 of the GDPR documents provisions for organisations to follow when an individual exercises their right to restrict the processing of their personal data.
Let’s take a quick look at what’s new.
What is the right to restrict processing?
The General Data Protection Regulation (GDPR) is all about giving the individual (data subject) more control over what happens to their personal data. Article 18 of the regulation details the right of the individual to make restrictions on an organisation and limit the way that they use the data.
The data subject should have a reason for restricting the data, for example, they might think the data is inaccurate or they do not believe they gave consent for their data to be used in the way that it has. Let’s look at that in more detail.
When can an individual use their right to restrict processing?
The Information Commissioner‘s Office (ICO) states that:
- the individual contests the accuracy of their personal data and you are verifying the accuracy of the data;
- the data has been unlawfully processed (ie in breach of the lawfulness requirement of the first principle of the GDPR) and the individual opposes erasure and requests restriction instead;
- you no longer need the personal data but the individual needs you to keep it in order to establish, exercise or defend a legal claim; or
- the individual has objected to you processing their data under Article 21(1), and you are considering whether your legitimate grounds override those of the individual.
Although there are clear distinctions, you can see that restricting of processing bears a relation to the GDPR’s right to rectification (Article 16) and the right to object (Article 21(1). This means that it is recommended that if you receive a rectification or objection request, you automatically restrict the processing while the request is under review.
How do you restrict data processing for GDPR?
The effective management of this aspect of the GDPR, like many others, comes down to process planning. Processing personal data includes collecting, structuring, disseminating and erasing, so you need to consider these when creating your process.
Additionally, the storage method you use is equally important. If you receive a restriction request you can temporarily move that data to a separate processing system. You can also choose to make the data unavailable or remove it from where it is currently viewable, like on a website for example.
If you have previously shared this data with another organisation you must inform them of the request.
When can a restriction be lifted or refused?
Normally a restriction to process is a temporary state if it is on the grounds of accuracy or necessity. Once these questions have been addressed and you have informed the individual, you can choose to lift the restriction.
You can refuse a restriction request of you believe it is unfounded or excessive. The ICO states:
If you consider that a request is manifestly unfounded or excessive you can:
- request a “reasonable fee” to deal with the request; or
- refuse to deal with the request.
In either case you will need to justify your decision.
You should base the reasonable fee on the administrative costs of complying with the request. If you decide to charge a fee you should contact the individual promptly and inform them. You do not need to comply with the request until you have received the fee.
If you refuse a request you must tell the individual why you have made this decision, explain their right to make a complaint to the ICO, and inform them of the judicial rights.
We talked about the need to have policies in place to make handling these requests easier. But does your organisation have a handle on the personal data that they hold? ISMS.online has a solution for that…