The right to restrict processing is one of eight rights enforced by the EU General Data Protection Regulation (GDPR). Upon request, an organisation must stop using an individual’s personal data, although it can continue storing it.
It’s an alternative to requesting the erasure of data and will most likely be exercised when individuals contest the accuracy of information, the way it is processed or if they want the data to be erased but the organisation has a legal obligation to retain it.
In most cases, the restriction will be lifted once the data subject’s concerns are resolved or the organisation no longer needs the information.
How to restrict processing
When an individual exercises their right to restrict processing, organisations have 30 days to comply. They must therefore act quickly and thoroughly. Data can be collected through a number of sources, and processing consists of many separate elements, such as the collection, structuring and dissemination of data. These all need to be accounted for, so it’s advisable to have a system in place to coordinate each element.
The GDPR recommends that organisations:
- Temporarily move data to another processing system;
- Make the data unavailable to users; or
- Temporarily remove published data from a website.
If your organisation has an automated filing system, you need to use technical measures to make sure further processing doesn’t occur and that data can’t be changed while the restriction is in place.
Links to other rights
As with all data subject rights under the GDPR, individuals are free to exercise their right to restrict processing “without prejudice to any other right”. In other words, an individual can still exercise other rights when the organisation has restricted the processing of their information.
Individuals are also entitled to request the restriction of data processing while exercising other rights. This will be seen most often with the right to object to data processing and the right to rectification. Both rights involve disputes over the legitimacy or use of data, so organisations should be prepared to restrict processing when either is invoked.
The complexity of the GDPR and the ramifications for non-compliance hasn’t escaped the attention of senior staff in organisations across the EU. The threat of disciplinary action, fines and reputational damage has created a surge in demand for data protection experts, so there has never been a better time to gain a relevant qualification.
Our Certified GDPR Foundation Training Course provides the perfect introduction to the Regulation and its requirements. It’s delivered by an experienced data protection practitioner, who will explain:
- The GDPR’s background and terminology;
- The six data protection principles;
- The role of data controllers and processors;
- Data subjects’ rights;
- How to secure personal data; and
- How to report data breaches.
This one-day course is running in venues across Europe, and is suitable for directors or managers who want to understand how the GDPR affects their organisation, employees who are responsible for GDPR compliance, and those with a basic knowledge of data protection who want to develop their career.