Messy Data Increases Your Risk of GDPR Fines and Exposure

Inaccurate data presents a trap for the unwary that could present multiple possible General Data Protection Regulation (GDPR) violations. How can your organization avoid the traps and possible enforcement actions and penalties?

Many experts assert that chief among the targets for enforcement actions will be companies that either suffer a data breach (particularly problematic will be repeat offenders) or that fail to adequately respond to GDPR Individual Right requests from data subjects. Core to achieving compliance for the latter will be overcoming the data challenges inherent in inaccurate data noted below.

GDPR Article 15, Subject Access Requests

Article 15 confers on a data subject the right to obtain from the company confirmation as to whether it is processing personal data about the data subject within 30 days of making a request, otherwise known as Subject Access Requests (SARs). SARs flow from the Right of Access one of the Individual Rights that must be protected. The problem that will arise is as follows: your customer will submit a SAR on day one and the 30-day clock to respond will start ticking.

If a company can’t locate all the customer’s data because they don’t know where it resides, or inaccurate data about the subject produces inaccurate results, they’ll have difficulty complying with Article 15. This failure to comply would also suggest the company has violated GDPR Article 5, which requires companies under subsection (d) of that Article to maintain “accurate” data.

There are only three references in the GDPR and its Recitals about “accurate” personal data, and none define what is meant by “accurate”. It would be prudent to assume “accurate” could cover a range from clerical errors in the personal data itself (e.g., John Bliss, not Jon Bliss) to substantive errors with serious civil liberties implications (e.g., Jon Bliss received a drunk driving citation, not John Bliss).

GDPR Article 16, Right of Rectification

The Right of Rectification allows the data subject to have inaccurate personal data about him/her rectified and incomplete personal data completed within 60 days. If a company doesn’t know what records it has on the data subject, how can it even to begin to rectify inaccuracies (e.g., their records reflect two people when in fact they are one) or complete incomplete data (e.g., one file is missing an email)?

If a company finds Liz Reston with no email address in its HR database and Lizzie Reston in its Warranty database with an email, how will the person searching know this is the same person?  Moreover, even if you locate the records, and eliminate inaccuracies or incompleteness, but can’t accomplish this in under 60 days, will you be failing to address this Right “without undue delay” as required by Article 16?

GDPR Article 17, Right to Erasure (Right to be Forgotten)

The Right to Erasure (perhaps more commonly known as the Right to be Forgotten) is based on a broad principle undergirding all GDPR – personal data belongs to individuals; people lend their data to companies intent on monetizing it. But as with any loan, the loan can be called.

It stems from the May 2014 ruling against Google by the Court of Justice of the European Union (C-131/12, 13 May 2014), which found that certain people can ask search engines to remove specific results for queries that include their name, where the interests in those results appearing are outweighed by the person’s privacy rights.

This Right enables an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing. Importantly, the right can be triggered either when an individual objects to the processing, or where the personal data was unlawfully processed. If an individual objects to processing on the grounds that data about the individual held by the company is inaccurate, this provides a basis for triggering the Right to be Forgotten. Inaccurate data, the argument would go, is unlawfully processed data. This right is not limited to processing that causes unwarranted and substantial damage or distress – simply possessing inaccurate data about the data subject is grounds enough for a determination of noncompliance.

GDPR Article 18, Right to Restriction of Processing

Article 18 enables individuals to “block” or suppress processing of personal data. An individual can exercise this Right if he/she contests the accuracy of personal data held by a company. When processing is restricted, a company is permitted to store the personal data, but not further process it until it has verified its accuracy. Your messy data problem can get worse if the company has disclosed the data in question to others.

In this event, the company must take reasonable steps to contact each recipient and inform them of the restriction. If the inaccurate data remains, an individual can either pursue erasure under Article 17, or they can oppose erasure and continue to request Article 18 restriction instead. Recital 67 notes, “In automated filing systems, the restriction of processing should in principle be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed.” This requirement becomes a tall order when you don’t know who is who in your data.

GDPR Article 25, Data Protection by Design and by Default

In a world awash with messy, inaccurate data, it’s hard to see how the Article 25 obligation to “process only personal data which are necessary for each specific purpose,” can be satisfied if controllers don’t have a handle on who the individual subject to the processing is, across all the controller’s constantly evolving databases. Further, Recital 78 states, “The protection of the rights and freedoms of natural persons with regard to the processing of personal data requires that appropriate technical and organizational measures be taken to ensure that the requirements of this Regulation are met.” Can this be satisfied if a company is resorting to manual search? Manual search seems anachronistic and hardly offers “appropriate technical” measures.

GDPR Article 30, Records of Processing Activities

While not an Individual Right as above, Article 30 can present problems too, if efforts to process messy data aren’t recorded. Controllers are required to maintain records of their processing activities. Processing a request of an individual for erasure or rectification will pose challenges in a manual search environment, but will be aided by technologies that can automate the search process and provide an easily exportable, machine readable record of such activities. There is a limited exemption for small and medium-sized organizations. If you have less than 250 employees, you only need to document processing activities that: (1) are not occasional; (2) could result in a risk to the rights and freedoms of individuals; or (3) involve the processing of special categories of data or criminal conviction and offence data.

A recent study published by Senzing entitled, Finding the Missing Link in GDPR Compliance surveyed 1,000 EU companies. The study found that an average company expects to receive 89 GDPR SAR requests per month, which would require one full time employee to be devoted to the task of searching for data to comply with these SAR requests. This then begs the question: would 89 requests be “occasional”? I doubt it, so prudence would suggest that SMEs take this obligation seriously and not assume they can find shelter within this “occasional” exception.

In summary, messy data that is left unattended can become a GDPR hazard for your company. Manual searches of inaccurate data leave your company at risk. Don’t let it be a trap for the unwary.