Study on GDPR Data Subjects and Their Awareness of Privacy Rights

A recent study, which was authorised by the European Commission, reveals a high level of public awareness on EU data protection rules. The Eurobarometer report marked the first anniversary of GDPR. While many companies still struggle with GDPR, evidence suggests their customers are far from in the dark on the subject. From 27000 European respondents in the survey, 73% knew at least one of their privacy rights under EU rules.

From the perspective of GDPR authorities such as the ICO, it’s useful that individuals are becoming aware of their rights. It was always the aim and gives businesses an added incentive to comply. Lately, companies have begun to see GDPR as a business opportunity. They can show customers they respect their rights. It’s a selling point.

The Eight User Rights

Before examining the Eurobarometer report in a little more detail, here’s a reminder of the eight user rights which GDPR gives to individuals:

• The right to be informed; data controllers must inform individuals about the collection and use of their personal data. They must provide a purpose for processing that data, retention periods for its use and who they will be sharing it with. This all falls under the GDPR transparency ethic.
• The right of access; subjects have a right to access their personal data through a SAR (Subject Access Request), which can be verbal or in writing. Companies must respond to such requests within one month.
• The right to rectification; individuals have the right to ask that incomplete, inaccurate or obsolete data be rectified. Again, there is a deadline of a month for this.
• The right to erasure; the so-called “right to be forgotten” was born with GDPR. Under certain circumstances, individuals can make a request for data erasure. If legitimate, companies have a month to get it done.
• The right to restrict processing; as an alternative to erasure, subjects can ask that a data controller refrains from processing their data. There are several situations when this may be appropriate. Examples include during legal claims or while companies consider grounds for erasure.
• The right to data portability; subjects have the right to obtain their personal data from controllers and move it across different services for their own purposes. For example, this might apply when individuals are looking for quotes across several companies.
• The right to object; individuals have the right to object to the processing of their personal data in some situations. They have an inviolable right to stop their data being used for purposes of direct marketing. Companies must respond to objections within a month, but in some cases may continue processing the data if there is a plausible reason to do so.
• The right to appeal against automated decision making; data subjects have the right to appeal against automatic decision making and profiling, and request human intervention. Under Article 22 of GDPR, this type of decision making is only permissible for certain reasons. One of these is to weigh up the ability of a loan applicant to fulfil their side of a contract, so it includes credit assessments.

Companies aiming to comply with GDPR should inform their customers of these rights clearly and openly in privacy notices. Further, they should make it easy for subjects to assert their rights by providing unobstructed contact forms or details. It is not in any company’s best interests to covertly dissuade customers from exercising their rights.

GDPR-Aware Customers

As the Eurobarometer report proves, data subjects are becoming ever more aware of the rights which they have over their own personal data. In addition to the 73% who knew about at least one of their rights, 65% knew about the right of access, and 57% the right to erasure. Since GDPR sometimes seems impenetrable, this is impressive.

Despite their enlightenment, only 30% of Europeans have heard of all their rights, and a mere 13% of data subjects ever read privacy statements fully. This is all explicable, given that most of us want easily digestible internet reading. Few people will wade through a long page of contractual jargon.

The takeaway here for companies is to lay out subject user rights as clearly and concisely as possible. And in an upfront way, rather than burying all the info on a densely worded page which nobody will read. Compliance with GDPR needs some empathy from companies; an understanding of their customers and respect for them. That can undoubtedly only be a good thing all around.

GDPR Rights Over the Phone

The primary way in which companies collect data over the phone is by recording calls. That way, there is proof of consent, and the data is conveniently stored. Nevertheless, GDPR has dramatically tightened up this process. Previously, data subjects were informed that the call may be recorded, and their willingness to proceed with the call, rather than hanging up, was enough to obtain consent. It was a verbal form of the cunning pre-checked consent box or the unchecked non-consent box.

Nowadays, to obtain consent for data processing, the data subject on the phone must give an affirmative answer to whether he/she agrees to have the call recorded. This might be a vocal response via voice recognition, or it could mean pressing a key. If you are actually on the receiving end of one of these calls and are given no opportunity to respond, it’s a GDPR infringement.

Consent aside, companies must meet at least one of these criteria to proceed with such calls:

• Recording is necessary to satisfy a contract or legal requirements
• The recording is required to protect the interests of one or more of the participants
• Recording is needed for safety or in the interests of the public
• Recording is in the legitimate interests of the recorder, as long as those interests are not overridden by the interests of other participants in the call

The most common justification you’ll hear over the phone for a recorded call is “for training and quality purposes”. Since the act of recording a phone call qualifies as data collection, that message is not enough under GDPR. It doesn’t obtain the recipient’s consent. You can be sure many companies and their staff are not ready for this, nor the legitimate questions you could ask them about the precise purpose of the data or how long it will be retained.

Get Ready

The overriding message for companies a year after GDPR is to be ready for the increasing awareness customers have over their rights. Don’t get caught out, act now!