09 April 2018
When a data subject challenges the accuracy or legitimacy of you holding their data you must restrict processing, including access, while you investigate. But, this leads to questions as to how this is this being done. And, more importantly, what are YOU doing about it? The reality is not many are actually doing this yet, and while systems can be configured to do so, very few applications comply with privacy by design. Practically-speaking, databases should only be accessed by a designated few while the redaction investigations are performed. This means only authorised staff can access personal data. If the data is used for analytics purposes, it should be anonymised.
Of course, for large multi-national institutions, such as those in the financial sector, there will be hundreds siloed systems (databases). Therefore, in order to comply with the explicit consent requirement for processing personal data it is possible to obtain aggregated view of consent status if:
(a) there are no other legal bases mixed with consent-based processes;
(b) there are too many purposes listed against that consent; OR
(c) there are multiple profiling algorithms.
The difficulty with aggregated consent is where it may be unclear to the data subject that they are separate consents and also because it encourages bulk withdrawal of consent.
An alternative approach is to build an index of personal data items mapped to individuals and then incorporate a 'do not process' or restriction flag in the index, at the individual person level. However, this method also brings its own challenges, as it requires checking the flag in all the correct places in code.
As a business, you should identify how PII data moves through your systems and establish the legal bases for all the different processing activities. Questions should be asked as to whether or not the process requires all of the siloes for a particular processing activity. It should be easy for you to define what constitutes a processing activity in your company’s context and map the various PII processing activities before defining the legal base for all. This will provide clarity when responding to data subject requests and keeping the audit trail for the ICO.
To find how our friendly and knowledgeable solicitors can help you, contact us today.
Make a free enquiry - Call now - 0151 659 1070
