Articles 18, 19 and Recital 67 of the GDPR documents provisions for organisations to follow when an individual exercises their right to restrict the processing of their personal data.
Let’s take a quick look at what’s new.
The General Data Protection Regulation (GDPR) is all about giving the individual (data subject) more control over what happens to their personal data. Article 18 of the regulation details the right of the individual to make restrictions on an organisation and limit the way that they use the data.
The data subject should have a reason for restricting the data, for example, they might think the data is inaccurate or they do not believe they gave consent for their data to be used in the way that it has. Let’s look at that in more detail.
The Information Commissioner‘s Office (ICO) states that:
Although there are clear distinctions, you can see that restricting of processing bears a relation to the GDPR’s right to rectification (Article 16) and the right to object (Article 21(1). This means that it is recommended that if you receive a rectification or objection request, you automatically restrict the processing while the request is under review.
The effective management of this aspect of the GDPR, like many others, comes down to process planning. Processing personal data includes collecting, structuring, disseminating and erasing, so you need to consider these when creating your process.
Additionally, the storage method you use is equally important. If you receive a restriction request you can temporarily move that data to a separate processing system. You can also choose to make the data unavailable or remove it from where it is currently viewable, like on a website for example.
If you have previously shared this data with another organisation you must inform them of the request.
Normally a restriction to process is a temporary state if it is on the grounds of accuracy or necessity. Once these questions have been addressed and you have informed the individual, you can choose to lift the restriction.
You can refuse a restriction request of you believe it is unfounded or excessive. The ICO states:
If you consider that a request is manifestly unfounded or excessive you can:
In either case you will need to justify your decision.
You should base the reasonable fee on the administrative costs of complying with the request. If you decide to charge a fee you should contact the individual promptly and inform them. You do not need to comply with the request until you have received the fee.
If you refuse a request you must tell the individual why you have made this decision, explain their right to make a complaint to the ICO, and inform them of the judicial rights.
We talked about the need to have policies in place to make handling these requests easier. But does your organisation have a handle on the personal data that they hold? ISMS.online has a solution for that.
A tailored hands-on session based on your needs and goals
ISMS.online features a Personal Data Inventory & Records Processing Tracker to help you do just that.
The information in this blog is for general guidance and does not constitute legal advice.
100% of our users achieve ISO 27001 certification first time