Skip to main content
Hafan

How do we help people exercise their rights?

Contents

In detail

The UK GDPR gives people various rights about their personal information. You must help people exercise these rights. This includes people who are registered or unregistered users of your IoT products and services and whose personal information you process.

You must have accessible, clear, easy-to-use, documented and evidenced methods to facilitate and respond to people’s rights requests.

You should consider how you can do this in the easiest and most appropriate way for them – for example, directly through your IoT product, through its accompanying mobile app, or through any online account they use.

You should pay particular attention to this if your IoT product is aimed at children or likely to be accessed by them. You should provide prominent and accessible tools to help children exercise their data protection rights and report concerns.

In situations where you cannot identify people, you don’t have to collect additional information just to ensure that you can respond to their requests. But where you are able to demonstrate that you can’t identify them, you must explain this to the person who made the request and allow them the opportunity to provide additional information enabling their identification.

Further reading

Individual rights

Our guidance on privacy in the product design lifecycle contains more information on empowering people to exercise their rights through interfaces.

What is the right of access?

The right of access allows people to see what information you collect and share about them. It allows people to submit a subject access request (SAR) and receive a copy of the personal information you process. 

You should consider how to give people access to their information where they might expect it. This could be directly on the IoT product, in its accompanying mobile app or in the user’s online account. 

You should:

  • avoid making this process unnecessarily cumbersome; and 
  • consider where your users are most likely to look for tools allowing them to access their personal information.

Example

An IoT product is designed to be used with an accompanying mobile app. Users can also create an online account by using their browser, eg on a desktop PC or on their mobile device.

In these cases, a user may find it logical to look for ways to make a subject access request (SAR) in the mobile app’s settings as this is where they will usually interact with the product’s features. 

The organisation also enables users to make a SAR by logging into the online account via their browser.

A different organisation makes a similar product with the same sort of online functionality. However, it enables users to make a SAR only through the online account and not the mobile app. This is not good practice because it artificially limits how people can exercise their rights, and doesn’t take account of how they normally use the product. 

Personal information obtained through an IoT product can relate to more than one person. Therefore, responding to a user’s request to access information may involve providing information that relates to both the requester and another person.

You should consider whether it is possible to comply with the request without revealing information that relates to and identifies another person. You may delete from your response parts of the information that would identify the other person.

If you cannot delete the information about the other person, then to comply with the request you could try to ask the person for their consent if they are known to you. Alternatively, in some situations it may be reasonable to disclose the information about them anyway. You should refer to our guidance on right of access for when this might be the case.

Example

When there are multiple accounts for the same IoT product and you respond to a subject access request, some of the information you could give will probably relate to other people who have accounts for the product as well as the requester. 

Since they have their accounts with your product, and are probably known to each other, you should have the means to contact them and ask for consent.

Further reading 

Right of access

What is the right to rectification?

People have the right to ask you to rectify any inaccurate personal information you hold about them. They may also be able to have incomplete personal information completed, although this depends on the purposes of the processing.

Rectification requests may result from a subject access request.

If you receive a rectification request, you must satisfy yourself about whether the information you hold is accurate and consider what steps you have taken to assure yourself of this. If the information is not accurate, you should take steps to rectify it within one month of receiving the request.

You should consider how you may be able to give people tools to amend or update their personal information themselves through their IoT product. 

Further reading

Right to rectification

What is the right to erasure?

People have the right to have personal information erased. This is also known as the ‘right to be forgotten’. 

This right is not absolute. You should refer to our guidance for details about when the right to erasure does not apply. 

If you have disclosed the personal information to others and need to comply with a right to erasure request, you must contact each recipient and inform them of the erasure request, unless this proves impossible or involves disproportionate effort.

You should provide settings for erasure of personal information in the most appropriate and logical way to the user – for example, in the same way you collected their information in the first place, if appropriate. 

You could offer settings directly in your IoT product, its accompanying mobile app or web account where people can ask you to delete their personal information. 

You must be absolutely clear with people as to what will happen to their personal information when you fulfil their erasure request, including in respect of back-up systems. You must also communicate their erasure request to any organisation you have shared personal information with.

If you use the ‘settings’ function within the IoT product to allow people to make an erasure request, you must clearly explain that their request will delete their account or delete all their personal information (including from your back-ups), or both.

You should remind people that simply deleting your IoT product’s mobile app will not necessarily delete their information. 

You could implement more granular options to allow people to delete certain types of personal information. 

Read our guidance on the right to erasure for more information about when it applies and what it requires. 

Further reading

What is the right to data portability?

The right to data portability applies to any personal information someone gives you where:

  • your lawful basis for processing is either consent or contract; and
  • you are carrying out the processing by automated means.

People using IoT products may wish to move their personal information from one IoT product (or an online service) to another IoT product. They have the right to receive this personal information. 

In practice, people can ask you to transmit their personal information to another IoT product manufactured by you or to a different organisation. 

You must transmit the personal information if it is technically feasible.

The right doesn’t apply to personal information that you create based on what someone has given you.

Further reading

Right to data portability

What is the right to object?

People have the right to object to the processing of their personal information at any time. This allows them to stop (or prevent) you processing their personal information. 

The right only applies in certain circumstances. Whether it applies depends on your purposes for processing and your lawful basis for processing. For example, it will apply where the lawful basis is legitimate interests, but it won’t apply if you rely on consent.

But people have the absolute right to object to the processing of their personal data if it is for direct marketing purposes. This includes online advertising that involves personal data processing. In this context, there are no exemptions or grounds for you to refuse. 

In practice, this means you must inform people about how to object to targeted online advertising. You could implement a setting on your product or its mobile app where your users can express their objection. 

Read our guidance for information about what an objection request might look like and when you are obliged to fulfil the request.

Further reading

Right to object

What are automated decision-making and profiling?

The UK GDPR sets out how you can carry out automated decision-making, including profiling, in ways that protect people’s rights, interests and freedoms. We call these ‘the ADM provisions’.

What is automated decision-making?

Automated decision-making is the process of making decisions by automated means without any meaningful human involvement. These decisions can be based on factual data, as well as on digitally created profiles or inferred data. Automated decision-making often involves profiling but does not have to.

When we use the term ‘ADM’ in this guidance, we are specifically referring to automated decision-making as defined in article 22A of the UK GDPR. This is where a decision:

  • is “based solely on automated processing”, including profiling (ie there is no meaningful human involvement in the decision); and
  • has a “legal or similarly significant effect” on a person (which the UK GDPR refers to as a “significant decision”).

‘Solely’ means a decision-making process that is totally automated and excludes any real human control on the outcome. A process isn’t solely automated if someone weighs up and interprets the result of an automated decision before applying it to a person.

A ‘legal effect’ is something that affects a person’s legal status or their legal rights. A ‘similarly significant effect’ is something that has an equivalent impact on a person’s circumstances, behaviour or choices. 

If you are unsure whether automated decisions have a legal or similarly significant effect on someone, you should consider the extent to which it might impact their:

  • legal status or legal rights;
  • financial circumstances (including creditworthiness, bank account access, and evaluation, provision or denial of insurance or benefits);
  • employment opportunities and circumstances (eg recruitment, promotion);
  • health (eg access to or allocation of medical interventions);
  • access to education and relevant opportunities (eg awarding grades, personalised learning);
  • access to housing;
  • access to essential public and private services;
  • reputation (eg automated scoring systems that influence trust ratings or professional standing);
  • behaviour (eg nudging teenagers to adopt unhealthy eating habits via recommendations that are based on profiling that determines they are more susceptible); or
  • choices (eg dynamic pricing or discriminatory offers) 

While many IoT products may involve the solely automated decision-making, the decisions don’t necessarily have a legal or similarly significant effect. 

Example 

A smartwatch records people’s physical activity, including the types of activity and their health metrics. It uses this personal information to make recommendations for exercising programmes to improve their fitness. 

The decision about what exercising programmes to show the user is unlikely to significantly affect them. All it does is show them programmes based on their past activity metrics. 

However, decisions may have significant effects if your IoT product performs them for other purposes. 

Example

A smartwatch records people’s physical activity. An insurance provider provides fitness trackers as part of its insurance products and uses the personal information to determine people’s health insurance premiums. Users who have higher levels of activity receive lower premiums than those who don’t.

This type of decision is more likely to significantly affect particular users, as it may impact their financial circumstances, health, behaviour or choices.

A DPIA can help you decide whether or not the intended processing is subject to the ADM provisions.

What is profiling?

Profiling analyses aspects of a person’s personality, behaviour, interests and habits to make predictions or decisions about them. Profiling may use algorithms. 

Organisations use profiling to:     

  • find out something about people’s preferences;
  • predict their behaviour; and
  • make decisions about them.

Your IoT product is likely to involve profiling if it uses personal information for purposes such as personalising the user experience. For example:

  • a fitness tracker may process users’ weight, height and physical activity levels to make predictions about how long it may take them to lose a certain amount of weight;
  • IoT products with sleep-tracking functionality process information about people’s sleep patterns and possible sleep deprivation;
  • a smart TV may use information about users’ viewing habits to enable targeted advertising
  • a virtual assistant on a smart speaker may tailor its responses to users’ queries based on their location;
  • smart doorbells may track visitor patterns to record and analyse the frequency and timing of visitors to identify regular visitors and unusual activity;
  • a home hub may learn daily routines to automate home settings, such as adjusting the thermostat when users wake up or go to bed; and
  • smart domestic appliances such as washing machines or refrigerators may keep track of their usage patterns and use this information to suggest maintenance schedules and energy-saving tips.

What are the rules for profiling and automated decision-making?

The UK GDPR allows you to carry out ADM using any of the lawful bases except for recognised legitimate interest. But you must implement safeguards for people’s rights and freedoms. 

You must include measures in your ADM safeguards that:

  • tell people about any decision you take about them;
  • enable them to make representations to you about the decision;
  • enable them to obtain human intervention from you about the decision; and
  • enable them to contest the decision. 

These safeguards work to ensure that your ADM processes are fair, lawful and transparent. You must apply them consistently instead of on an ad-hoc, discretionary basis.

The first safeguard is key because it allows people to have the necessary context to decide whether they want to exercise their other rights (eg to contest the decisions you make). 

While this safeguard is separate to the right to be informed, in the IoT space many of the same considerations about providing privacy information are likely to apply here in practice. For example, how you take into account things like the form factor of your IoT product, or whether it has a screen. 

Ultimately, you must ensure that what you tell people about decisions:

  • is clear and accessible;
  • helps people understand the decision you made;
  • explains how you reached it, and
  • tells them about its actual impact.

You should also include things like:

  • what factors contributed to the decision;
  • whether it involved profiling; and
  • whether information from third parties influenced the decision.

The UK GDPR also allows you to base the ADM you carry out entirely or partly on special category data, but only in certain circumstances. Article 22B says these are where the decision is:  

  • necessary for a contract;
  • authorised by law; or
  • based on the person’s explicit consent.

For the last two conditions, you must also identify a substantial public interest condition out of the 23 available. (For more information, see our detailed guidance on special category data under What are the substantial public interest conditions?.)

These aren’t the same as the lawful bases in article 6 or the conditions for processing special category data in article 9. In practice, this means that if you do use special category data to carry out ADM, you must identify:

  • a lawful basis under article 6;
  • a condition for processing special category data under article 9; and
  • a condition in article 22B.

Remember, people can also object to any profiling you do. As part of compliance with the right to object, you must bring this to people’s attention and present it separately from other information.

If your product is aimed at children or likely to be used by children, you should take into account the profiling standard of our Children’s code. By following the safeguards and steps in the standard, your profiling using children’s data can take place safely and fairly.

Further reading – ICO guidance