What is the Right to Rectification?
Defined in Article 16, Right of Rectification is one of the data subject rights covered in chapter 3 of the General Data Protection Regulation (GDPR).
Right to Rectification Summary
- Data subjects have the right to have inaccurate personal data rectified
- Data subjects also have the right to have incomplete personal data completed, depending on the purpose for the processing, and may involve the individual provide a supplementary statement to the incomplete data
- Requests for rectification can be made to organizations (data controllers) either verbally or in writing
- Rectification is often based upon resulting information from an individual’s prior subject access request
- Right to rectification requests must be handled, by an organization (data controller), without undue delay and within one month after receiving the request
- This right is closely related to the obligations under the accuracy principle (Article 5) of the GDPR
Business Considerations for Organizations to Understand
What are the steps you take in answering right to rectification requests?
The initial step in answering the right to rectification requests is to verify the accuracy, or completeness, of the personal data in question. Verification is often managed using data discovery tools, especially for organizations processing large amounts of data. If it is determined that the data in question justifies rectification, the organization must do so across all area within the organization where the data is present and captured incorrectly. This enormous task is daunting and complicated to manage manually and so is often executed with technical solutions to handle data subject requests. Lastly, the organization needs to respond to the data subject in a timely way with the resulting actions based on their request.
How do you determine the accuracy of personal data?
Unfortunately, the GDPR does not define how to determine the accuracy of information. However, under the earlier law, the Data Protection Act of 1998, personal data is deemed inaccurate if it is incorrect or misleading as to any matter of fact.
The above definition provides a baseline for organizations when justifying rectification for inaccuracies, however other factors should be taken into account, too. Organizations should take into consideration the arguments and evidence provided by the data subject. Additionally, understanding the nature of the personal data is an essential element in addressing inaccuracies.
Some rectification requests may result from records that are opinions, rather than factual data. Accuracy of opinions are murky to adequately assess or determine because they are subjective by nature. However, as long as both clear criteria for recording personal data as opinion is presented and, where appropriate, acknowledging whose opinion it is, an organization may have a legitimate basis against data subject’s claims of inaccuracy should the organization prefer or need to continue processing the data in the face of a data subject’s claims of inaccuracy.
How do you prevent right to rectification requests?
Good data governance and management can combat against unreasonable rectification requests. As a matter of emphasis, an important step against challenges of opinion data is to consistently record any data which is opinion accurately, and where appropriate and possible, with the record of whose opinion it is. Additionally, periodic wide-spread data reviews can prevent future urgencies to rectify data based upon data subject requests.