We’re all data subjects now

Whether you are a chief executive with a LinkedIn account, a charity worker with a Twitter presence, or a lawyer subscribed to newsletters and conference websites, you are an individual that has signed up and agreed to the terms and conditions of a service.

But when it comes to discussing data protection and the new law which is currently making its way through Parliament, most attention is paid from the perspective of data controllers (those that hold the data), and not as data subjects (those whose data is being held).

We are all data subjects, with rights that we can exercise. It’s important not to lose sight of that. The General Data Protection Regulation – and the UK Government’s data protection bill which brings it into UK law – intends to create more accountability, with less bureaucracy. One way towards achieving those goals is to empower individuals to exercise their rights.


These rights give individual’s the opportunity to change services, to restrict or refuse automated processing, and the right to be forgotten, among others. Each of these have a significant affect in redrawing the relationship between an individual, and the public or private body that controls their data.

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. Providing the processing is based on the individual’s consent or the performance of a contract, and that it is carried out by automated means.

For example, you now have a right to request your energy provider processing your meter readings you submit to work out your bill, to provide those readings back to you in a format that you can transfer to another energy provider, to possibly receive a better quote or service.

The right to erasure (popularly known as the right to be forgotten), is also included in the new rights framework. While not as absolute as some business leaders liked to scaremonger, it is another important development for individuals. When the personal data is no longer necessary in relation to the purpose for which it was originally collected or processed, an individual can request the erasure of that data.

A controller could refuse to comply with that request, but would have to come up with a good reason for doing so (for example, public health purposes in the public interest; performing a legal obligation of a public interest task; or defending legal claims). If no good reason can be provided, then you have the right to have that personal data erased.

Importantly, if the data controller had shared the personal data with other third parties, they have to go to those third parties and inform them about the erasure, unless it is impossible or involves disproportionate effort.

Taking our energy provider example again. You’ve decided you are going to switch providers and get that better deal, you should also return to the old provider and ask for your personal data currently held to be erased as it is no longer necessary for them to process that data, and that energy provider who shared the information with third parties (say a smart meter provider) would have to inform them that your personal data is to be erased.

One right that will grow in importance in the future are the safeguards against the risk that a potentially damaging decision is taken without human intervention. Individuals have the right not to be subject to a decision when it is based on automated processing, and produces a legal effect or similarly significant effect on the individual.

It is vitally important we start to understand how we can exercise our rights. The consumer group Which? published market research this month that almost 1 in 5 consumers said they would not know how to claim redress following a data breach, and the same proportion reported that they would not know who is responsible for helping them when data is lost. These statistics suggest a deficit in our understanding of rights that we have, and how to exercise them.

There are two outcomes for this new data protection law, one guaranteed, one potential. The guarantee is that the lawyer, the chief executive, and the charity worker will understand their responsibilities as data controllers. They have to and there are enough trainings and seminars out there to remind them of that. The potential outcome is that we will all become data subjects capable and ready to exercise our rights under this new framework. The work Open Rights Group plans to undertake will help the public reach that potential outcome.

This article was originally published in LegalScot supplement with Times Scotland on 29 November, you can find it on their website here: http://futurescot.com/rights-gdpr-open-rights-group/