GDPR Principles: Accuracy
This post represents part 4 of a series of posts covering principles of the General Data Protection Regulation (GDPR). The regulation sets out 7 key principles that set the foundation for the directives to be enforced by the legislation. Today we will be covering the accuracy principle. Below are links to the full series of posts:
- Part 1 GDPR Principles: Lawfulness, Fairness and Transparency
- Part 2 GDPR Principles: Purpose Limitation
- Part 3 GDPR Principles: Data Minimization
- Part 4 GDPR Principles: Accuracy
- Part 5 GDPR Principles: Storage Limitation (Coming Soon)
- Part 6 GDPR Principles: Integrity and Confidentiality (security) (Coming Soon)
- Part 7 GDPR Principles: Accountability Principle (Coming Soon)
The accuracy principle of the GDPR sets forth that data controllers must make efforts to maintain accurate personal data of their data subjects. For the most part this principle is self explanatory, but there are a few considerations for organizations that are not immediately apparent. At a high level, compliance means:
- Ensuring that data you maintain is accurate and not misleading in a way that could be harmful to the data subject
- Making efforts to keep personal data updated where reasonable and applicable
- Making timely efforts to correct or erase personal data when inaccuracies are discovered
- Reviewing all challenges to the accuracy of personal data and correcting or erasing where necessary (Right to rectification)
One of the main changes to previous legislation stems from the last point above. The rights of data subjects have been strengthened and citizens have the right to challenge data inaccuracy under the GDPR and have it corrected or erased. Compliance with these types of requests can be more accurately managed with compliance software such as a subject access request portal. Compliance with external requests carry a base timeline of 30 days for response. Internal discovery of inaccuracy is more ambiguous and organizations should be able to demonstrate progress towards rectification or erasure at reasonable intervals.
1. Personal data shall be:
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)1
Determining accuracy isn’t always as simple as making sure personal information is up to date, there are several situations that present complexities from a regulatory and legal perspective.
One such case is determining the accuracy of historical records. For instance a loan holder may maintain personal data about where a person has lived. If they move from Miami to Jacksonville and their current residence is still listed as Miami then their personal data would be inaccurate. However maintaining a record stating that they used to live in Miami but they now live in Jacksonville would be accurate but should be marked as historical.
Recording mistakes is a tricky subject. Mistakes can come in many forms and various levels of challenge to the records may be encountered. For instance, a patient may receive a misdiagnosis in their medical records as part of care. Since these records are not public, a health clinic is unlikely to encounter significant resistance to a record of these mistakes. An employee accused of sexual harassment who is later found to be innocent would likely have a high interest in having the accusation purged from personnel files. Whether it is appropriate to record a mistake is a complex subject and you should consult a data privacy attorney if you have concerns.
Opinions are subjective by their very nature, and in today’s world of social media and at-will authorship, there are plenty of them. Opinions are protected by the first amendment right to freedom of speech but the GDPR sets forth that controllers and processors should make it clear that data is an opinion, and who’s opinion it is. Opinions are not considered mistakes even if other data subjects disagree or the opinion is later proved wrong. If the opinion was based on inaccurate fact, publishers should make sure to note that so the record is not misleading. Some opinions may be prone to challenge by data subjects such as medical opinions. It’s important to note the basis for the challenge and conduct a review on whether the data needs to be rectified or erased.
Ensuring Data is Current
The accuracy principle states that reasonable efforts should be made to ensure personal data is current. Extreme measures do not have to be taken to ensure records are up to date, some information like a patient’s insurance information should be actively kept up to date, but other information such as user profile data on social networks can rely on the end user to provide updates. It is not necessary for an organization maintaining voluntarily provided personal data to ensure that it is kept up to date – at least from a compliance perspective.
Compiled Information and User Provided Information
What qualifies as reasonable steps varies depending on whether the controller or processor collected the information into a personal data record or the data subject provided the information. The burden of compliance is significantly higher for information collected and compiled by a processor or controller. When an organization such as a credit reporting agency develops an independent record of someone, they must make efforts to verify the information collected and used in processing. One of the criteria for compliance scrutiny is impact to the individual. Credit reporting agencies that collect and process personal data have a high impact to the individual, but an internet directory site that scrapes information from websites that was already provided will face different scrutiny. The credit reporting agency may be expected to make calls to debt holders to verify the information provided, where a directory site may have no burden at all.
User provided information in general has a more relaxed burden of verification. Common software development practices like form field validations can demonstrate compliance when relying on the accuracy of end user data. For example, application programmers can ensure data is a number when collecting a phone number or zip code, and is a date when collecting a birth date – both of which can serve as an appropriate compliance measure. Again, consider the impact to the individual when deciding what steps are taken to ensure compliance with the accuracy principle.
If you suspect you are working with information that needs verification steps to ensure accuracy, make sure to document the act of reaching out for verification. If discrepancies are found, be sure to note them and document rectification or erasure. If a citizen challenges the accuracy of data, make sure to document compliance with the challenge by capturing request details, thought process for reviewing the challenge, and outcome including any rectification or erasure.
The accuracy principle states that controllers and processor should make reasonable efforts to ensure personal data is accurate. They must allow citizens to challenge the accuracy of data and take steps to rectify or erase the data associated with the challenge. Verification is sometimes needed to ensure data is accurate. Controllers and processors should consider the impact to the individual and whether they collected the data or the user provided it when determining appropriate verification steps. Organizations should document challenges and their responses thoroughly and in a timely manner. They should also document the thought process for determining whether personal data needs to be verified and the verification steps taken if necessary.
This article will discuss how a one way hash function can be used in the context of privacy compliance for regulations like the GDPR. Storing customer’s personal data is an inevitability for scaling businesses in today’s technical world. One way hash functions are a useful tool to store sensitive customer data such as passwords and…
Data minimization is the concept of collecting the minimum amount of data needed to carry out the stated purpose and no more. When conducting a data minimization evaluation you must ensure that the data collected is adequate and relevant to your stated purpose as well as limited. The onus is on the organization to document compliance with this principle. We recommend documenting a review of this principle each time new personal data is collected or processed. Conduct at least an annual audit of personal data that has been collected or processed to ensure that changes in the business have not impacted compliance with the data minimization principle.
The GDPR’s purpose limitation principle constrains the use of personal data to the original purposes or those purposes compatible with the original purpose. There are a handful of pre-approved compatible purposes such as archiving purposes in the public interest, scientific and historical purposes, and statistical purposes. Under the GDPR, the burden falls on controllers and processors to document their purposes and reasoning behind them. These must be documented externally to be transparent to the end user, and internally with regular audits. Care must be taken when deciding a purpose is compatible with the original. An analysis must be conducted to determine compatibility and it’s a good idea to document the reasoning behind claiming a purpose is compatible with the original. Make sure to consider linkages to the original purpose, and consequences to the end user.
The first principle of the GDPR, Lawfulness Fairness and Transparency focuses mostly on the underlying reasons for collecting and processing personal information and how it will be used. It outlines the need for a lawful basis for processing and discusses the 6 bases for processing that have been identified. The bases of consent is the most recommend basis and organizations would do well to ensure they establish proper consent collection mechanisms. It ensures that data is collected fairly and that the collection does not present unjust injury to an individual or group of individuals, regardless of how many other individuals are unaffected. It ensures that organizations are being transparent in the way they inform their users on the type of information that is collected and the way it will be processed and used. The responsibility lies within the collecting organization to document compliance with principles of the GDPR. Establishing a process for documenting a lawful basis for processing, fairness, and transparency in collection will leave organization prepared for regulatory scrutiny, help avoid lawsuits and fines.
The General Data Protection Regulation (GDPR) and Data Protection Act of 2018 (DPA) are complex, in depth, complementary legal documents which act as a code of conduct for businesses involved in the processing of personal data. Henceforth these regulations will be referred to as the GDPR. There are many aspects of compliance with these regulations and the best place to keep up to date and understand aspects of compliance is the Information Commissioner’s Office’s (ICO) Guide to General Data Protection Regulation. This article highlights the aspects of compliance that SteadyHOPS provides.