I was invited to contribute to a seminar on the Right to Object (RtO). Normally this GDPR provision is seen as a way to prevent harm to a particular individual because of their special circumstances. But I wondered whether data controllers could also use the RtO process as an opportunity to review whether their processing can be made safer for everyone.
The diagram shows how this might work. Across the top we have the normal “Accountability” design process whereby a controller identifies the appropriate lawful basis for their processing; applies the relevant tests of benefits, risks and safeguards; and publishes information describing the processing and demonstrating their accountability. Ideally, this should result in processing, safeguards and documentation that makes everyone content.
For the purposes of this talk I’ve divided up the six lawful bases into three groups:
- Those (contract, legal obligation, vital interests) that allow processing to be mandatory for everyone in a group;
- Those (legitimate interest, public interest) that – subject to specific safeguards – allow processing of those who don’t object, in other words where it’s desirable to have broad coverage; and
- Consent, which only allows processing of those who actively opt in; and, incidentally, lets them change their mind as often as they like.
The Right to Object only applies when using a lawful basis from the “desirable” group. Formally it isn’t an automatic right to opt out: the data controller can continue processing if it can demonstrate “compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject” (Art.16(1)). Doing so is likely to further upset the individual, so this is a risky approach compared to treating an Objection as a simple opt-out.
But the important point for this analysis is that the arrival of an Objection indicates that at least one data subject was not reassured by the results of our Accountability process. GDPR requires the data controller to address the concerns of that individual, but it may be possible to get more value from the process by considering the Accountability results more generally. Looking at the stages of the diagram in turn:
- It’s possible that an Objection might identify that the wrong lawful basis was chosen, for example if an individual feels they ought to be able to opt-out from processing that we previously identified as mandatory. Changing lawful basis is a significant step – probably involving deleting all data and starting again – so it’s worth quite a lot of effort to get this right first time.
- More likely, an Objection may highlight new risks or safeguards that weren’t identified by the original Accountability process. This sort of change is positively encouraged by GDPR, so it’s well worth considering whether risks can be addressed, or safeguards incorporated, in our normal processing.
- Or the Objection may show that some aspect of the processing – for example its benefits or safeguards – could be better communicated. Both can be explained through a Legitimate Interests Assessment (LIA) or Data Protection Impact Assessment (DPIA); publishing those documents is a good way to reassure data subjects.
Most data controllers would hope that Objections will be rare if they get their Accountability right. So it’s well worth getting the maximum benefit when they do arrive.