How do we help people exercise their rights?

In detail

• What is the right of access?
• What is the right to rectification?
• What is the right to erasure?
• What is the right to data portability?
• What is the right to object?
• What about automated decision-making and profiling?

The UK GDPR gives people various rights about their personal information. You must help people exercise these rights. This includes people who are registered or unregistered users of your IoT products and services and whose personal information you process.

You should consider how you can do this in the easiest and most appropriate way for them – for example, directly through your IoT product, through its accompanying mobile app, or through any online account they use.

You should pay particular attention to this if your IoT product is aimed at children or likely to be accessed by them. You should provide prominent and accessible tools to help children exercise their data protection rights and report concerns.

What is the right of access?

The right of access allows people to see what information you collect and share about them. It allows people to submit a subject access request (SAR) and receive a copy of the personal information you process. 

You should consider how to give people access to their information where they might expect it. This could be directly on the IoT product, in its accompanying mobile app or in the user’s online account. 

You should:

• avoid making this process unnecessarily cumbersome; and 
• consider where your users are most likely to look for tools allowing them to access their personal information.

Personal information obtained through an IoT product can relate to more than one person. Therefore, responding to a user’s request to access information may involve providing information that relates to both the requester and another person.

You should consider whether it is possible to comply with the request without revealing information that relates to and identifies another person. You may delete from your response parts of the information that would identify the other person.

If you cannot delete the information about the other person, then to comply with the request you could try to ask the person for their consent if they are known to you. Alternatively, in some situations it may be reasonable to disclose the information about them anyway. You should refer to our guidance on right of access for when this might be the case.

What is the right to rectification?

People have the right to ask you to rectify any inaccurate personal information you hold about them. They may also be able to have incomplete personal information completed, although this depends on the purposes of the processing.

Rectification requests may result from a subject access request.

If you receive a rectification request, you must satisfy yourself about whether the information you hold is accurate and consider what steps you have taken to assure yourself of this. If the information is not accurate, you should take steps to rectify it within one month of receiving the request.

You should consider how you may be able to give people tools to amend or update their personal information themselves through their IoT product. 

What is the right to erasure?

People have the right to have personal information erased. This is also known as the ‘right to be forgotten’. 

This right is not absolute. You should refer to our guidance for details about when the right to erasure does not apply. 

If you have disclosed the personal information to others, you must contact each recipient and inform them of the erasure request, unless this proves impossible or involves disproportionate effort.

You should provide settings for erasure of personal information in the most appropriate and logical way to the user – for example, in the same way you collected their information in the first place, if appropriate. 

You could offer settings directly in your IoT product, its accompanying mobile app or web account where people can ask you to delete their personal information. 

You must be absolutely clear with people as to what will happen to their personal information when you fulfil their erasure request, including in respect of back-up systems. You must also communicate their erasure request to any organisation you have shared personal information with.

If you use the ‘settings’ function within the IoT product to allow people to make an erasure request, you must clearly explain that their request will delete their account or delete all their personal information (including from your back-ups), or both.

You should remind people that simply deleting your IoT product’s mobile app will not necessarily delete their information. 

You could implement more granular options to allow people to delete certain types of personal information. 

Read our guidance on the right to erasure for more information about when it applies and what it requires. 

What is the right to data portability?

The right to data portability applies to any personal information someone gives you where:

• your lawful basis for processing is either consent or contract; and
• you are carrying out the processing by automated means.

People using IoT products may wish to move their personal information from one IoT product (or an online service) to another IoT product. They have the right to receive this personal information. 

In practice, people can ask you to transmit their personal information to another IoT product manufactured by you or to a different organisation. 

You must transmit the personal information if it is technically feasible.

The right doesn’t apply to personal information that you create based on what someone has given you.

What is the right to object?

People have the right to object to the processing of their personal information at any time. This allows them to stop (or prevent) you processing their personal information. 

The right only applies in certain circumstances. Whether it applies depends on your purposes for processing and your lawful basis for processing. For example, it will apply where the lawful basis is legitimate interests, but it won’t apply if you rely on consent.

But people have the absolute right to object to the processing of their personal data if it is for direct marketing purposes. This includes online advertising that involves personal data processing. In this context, there are no exemptions or grounds for you to refuse. 

In practice, this means you must inform people about how to object to targeted online advertising. You could implement a setting on your product or its mobile app where your users can express their objection. 

Read our guidance for information about what an objection request might look like and when you are obliged to fulfil the request.

What is automated decision-making and profiling?

What is profiling?

Profiling analyses aspects of a person’s personality, behaviour, interests and habits to make predictions or decisions about them. Profiling may use algorithms. 

Organisations use profiling to:     

• find out something about people’s preferences;
• predict their behaviour; and
• make decisions about them.

Your IoT product is likely to involve profiling if it uses personal information for purposes such as personalising the user experience. For example:

• a fitness tracker may process users’ weight, height and physical activity levels to make predictions about how long it may take them to lose a certain amount of weight;
• IoT products with sleep-tracking functionality process information about people’s sleep patterns and possible sleep deprivation;
• a smart TV may use information about users’ viewing habits to enable targeted advertising
• a virtual assistant on a smart speaker may tailor its responses to users’ queries based on their location;
• smart doorbells may track visitor patterns to record and analyse the frequency and timing of visitors to identify regular visitors and unusual activity;
• a home hub may learn daily routines to automate home settings, such as adjusting the thermostat when users wake up or go to bed; and
• smart domestic appliances such as washing machines or refrigerators may keep track of their usage patterns and use this information to suggest maintenance schedules and energy-saving tips.

Automated decision-making

Automated decision-making is the process of making decisions by automated means without any human involvement. These decisions can be based on factual data, as well as on digitally created profiles or inferred data. Automated decision-making often involves profiling but does not have to.

What are the rules for profiling and automated decision-making?

The UK GDPR gives people the right not to be subject to solely automated decisions, including profiling, which have a legal or similarly significant effect on them.

‘Solely’ means a decision-making process that is totally automated and excludes any human influence on the outcome. A process isn’t solely automated if someone weighs up and interprets the result of an automated decision before applying it to a person.

If you are unsure whether a decision has a similarly significant effect on someone, you should consider the extent to which it might impact their rights and freedoms or affect, for example, their:

• financial circumstances;
• health;
• reputation;
• employment opportunities;
• behaviour; or
• choices.

While many IoT products may involve automated decision-making, their decisions do not necessarily have a legal or similarly significant effect. A DPIA can help you decide whether or not the intended processing is going to be subject to Article 22.

However, decisions may have significant effects if your IoT product performs them for other purposes. 

If you want to use automated decision-making, including profiling, you must ensure your processing is covered by one of the exceptions in Article 22(2):

• the decision is necessary for a contract;
• the decision is authorised by law; or
• the decision is based on the person’s explicit consent.

Remember, people can also object to any profiling you do. As part of compliance with the right to object, you must bring this to people’s attention and present it separately from other information.

If your product is aimed at children or likely to be used by children, you should switch processing options that use profiling to off by default. ‘Off by default’ does not mean profiling is impossible or banned. By following the safeguards and steps in the code’s standard, your profiling using children’s data can take place safely and fairly.