Data Restriction Under GDPR, When and How It is Done

After a period of data discovery and mapping, a company can become more confident in its GDPR compliance. And yet, GDPR is unconquerable. It’s an ongoing process of monitoring data, deleting it and responding to the requests of data subjects. One such request under Article 18 of GDPR is the right to restrict processing. What exactly does that entail?

As an alternative to erasure of data (aka “the right to be forgotten”), individuals can ask a data controller to restrict processing. They may do this verbally or in writing. Companies have a month to respond to such a request, which may or may not be valid, depending on the circumstances.

When Data Restriction Applies

Restriction of data processing is like data erasure, except it may be temporary. It means the processing of data should not take place without the consent of the data subject. In some circumstances, data processing may go ahead without this permission. For instance, it can proceed as part of a legal action, to protect others, or in the interests of the public.

Companies must cede to a request for processing restriction if any of the following applies:

• If accuracy of personal data is in doubt, a processing restriction may begin while an investigation takes place.
• If the processing of data was unlawful to begin with under GDPR.
• If the data subject needs you to store the data for the purposes of a legal claim. This prevents companies from erasing data, even if they no longer need it.
• If the data subject requests data rectification or objects to the use of their data. An interim period of data restriction takes place while the issue is dealt with or assessed.

It’s good practice to comply with requests for data restriction while making decisions as to their legitimacy. Only if a request is “manifestly unfounded” is a company likely to refuse quickly. Even then, it must take care over the decision.

Three Examples of Data Restriction

There are various instances where a data-processing restriction might apply, but how is it carried out? In fact, there are several ways to stop processing without removing data from your system altogether. Details of three examples listed by the ICO are below.

1. Temporarily Move Data to Another Processing System

To restrict the processing of an individual’s data, you must have total control over it. The data should ideally be handled manually and removed from any automated filing or processing system. Where this is impossible, take technical measures to ensure further processing does not occur during the request.

Continuation of data processing after a request for restriction is a potentially serious breach of GDPR. The consequences may be harsh if it exposes other GDPR misdemeanors. Companies should always err on the side of caution when handling restriction requests. The ability to quarantine data so it is safe from processing or deletion is a useful aid in compliance.

2. Make the Data Unavailable to Users

To halt the processing of an individual’s data, you need a fail-safe system where the data is only accessible by a few. This might mean removing it from the front end of processing or filing and separating it from the pack. Alternatively, security measures such as multi-factor verification can protect the data in situ.

It’s an obvious thing to say, but accidental processing is impossible if the data is inaccessible. The essence of data restriction is to preserve it, untouched, until such a time that you can revive or delete it. In order for this to work, familiarity with request procedures is vital. GDPR compliance software is useful for preventing human error.

3. Temporarily Remove Published Data from a Website

You must remove personal data from a website while a restriction request is under review or during its enaction. The same applies if the subject asserts his or her “right to be forgotten”, except the data is then also deleted from storage (e.g. servers, hard drives).

An example of where online removal might apply is on social media websites where some personal data is on show to visitors. Particularly during a crisis, people often wish to conceal their personal data without deleting accounts. Such a desire would probably be honored unless it had an adverse effect on others or legal consequences.

Photos, as well as written information, may count as personal data. Note that “processing” includes a wide range of data operations, including publication of photos and videos. Even after removal, the website owner may be part liable for images or web pages cached by search engines. It’s wise to follow up on removal of data from a website and make sure it’s not still available elsewhere by proxy.

Have a System in Place

To handle processing restriction requests, your company should have a system in place and a GDPR-trained staff. The onus is on businesses and not individuals to identify each type of request. Such requests need no formal labels to be legitimate, nor does the data subject need to be aware of all his or her rights. It’s the business that must “know its stuff” on GDPR.

Small to mid-sized businesses can organize themselves better with GDPR compliance software. Built-in expertise provides useful guidance. Whatever you do, don’t wait for requests to roll in before acting—get ready now!