GDPR gives individuals a greater say over how their data is used by others. In particular GDPR reiterates the previous legislation’s rules about the need for companies to keep accurate information. It also enhances the rights of individuals to have inaccurate information about them corrected or rectified.
In this article we examine the main issues of concern around incorrect personal data and the right of rectification under GDPR compliance regulations.
You might find it useful to refer to our GDPR FAQs alongside this guide.
Here, we'll examine:
- What is the GDPR right to rectification?
- Why data accuracy matters for your business
- Does incomplete personal data mean it is inaccurate?
- Does data have to be kept up to date?
- How to improve data accuracy and integrity
- What right does a data subject have to correct inaccurate personal data?
- Recognising requests for rectification and recording them
- When should personal data be rectified?
- Accidental disclosure of personal data to third parties
- Correcting personal data that has been shared with other parties
What is the GDPR right to rectification?
Article 16 of the GDPR states that data subjects have the right to have inaccurate data about them rectified. Even if you, or your organisation, has taken reasonable steps to ensure accuracy when first gathering the data, the right of rectification means that, as a data controller, you are obliged to check the accuracy of the data you hold when it is requested by a data subject.
Why data accuracy matters for your business
Today, businesses depend on accurate and consistent personal data. From a purely commercial sense the accuracy of the data you hold about clients, consumers and customers is critical. If the data is not a true reflection of reality – or is inconsistent – then it can’t be relied on when it comes to creating business plans, developing analytics or providing effective customer service. Relying on incomplete or inaccurate data for marketing purposes could, for example, result in you drawing the wrong conclusions and targeting the wrong people.
From a legal point of view data accuracy matters because it’s a requirement of data protection legislation like GDPR.
Briefly the rules are:
- Personal data must be accurate
- When necessary data must be kept up to date
- Personal data is inaccurate if it is incorrect or misleading
- Organisations must take all reasonable steps to erase or rectify inaccurate information.
A failure to keep accurate information, or to correct it when requested can lead to regulatory intervention and sanctions. In turn this may damage the reputation of your business.
Does incomplete personal data mean it is inaccurate?
It will depend on the nature of the data and whether the missing information renders the data as a whole inaccurate. Individuals however can request your organisation to add information that’s missing from the data you hold on them. This is part of the right to rectification that we examine below.
Does data have to be kept up to date?
Not always. You need to consider what you use the information for. For example, it would be sensible to amend a regular customer’s records if they change address so goods get delivered to the right place. While you aren’t required to proactively check if every customer has changed address, if a customer informs you of this or another change in their personal data you are obliged to update your records. But it wouldn’t be necessary to do the same for a client who will only ever use your services on one occasion. Usually it will be obvious whether or not the data in question needs to be kept up to date. If you have stored data to create statistical or historical information it would clearly undermine your research if you continually updated that data.
How to improve data accuracy and integrity
If you collect the data yourself it’s up to you to avoid collecting inaccurate data. Practical steps you can take include ensuring that forms you ask individuals to complete (job applications for example) are comprehensive and clear – to minimise the possibility of misunderstanding and individuals providing inaccurate data. Of course you can’t always confirm every piece of information provided to you by a customer or client but you can ensure that you:
- Carefully record the information provided accurately
- Satisfy yourself as to the reliability of the source of the information
- Take reasonable steps to ensure the accuracy of the information – for example by independently verifying qualifications disclosed by an employee
If you discover inaccurate data, you should remove it or update it as soon as appropriate. Many aspects of personal data will change over time. Information that was accurate when obtained may become inaccurate following some event in the data subject’s life. Again, if you become aware of this you should take all necessary steps to update your records.
What right does a data subject have to correct inaccurate personal data?
The right of individuals to have inaccurate data corrected or rectified and have incomplete information completed is safeguarded under Article 16 of GDPR.
Even if you have taken the steps described above to safeguard the accuracy of information you hold, you must re examine the information if you receive a request for rectification. If it transpires that the information is inaccurate you must take all reasonable steps to rectify it.
Recognising requests for rectification and recording them
There is no formal method for making a request for data rectification. If an individual contests the accuracy of information and asks you to correct it you should treat it as a rectification request. Because the request can be made to anyone in your organisation it’s helpful to train those individuals who may be likely to receive the request and introduce protocols for recording the request.
When should personal data be rectified?
The time limits for dealing with a data rectification request are similar to the time limits for responding to subject access requests. You have one month from receiving the request to respond.
If you are charging an administration fee or have requested proof of the individual’s identity the clock runs from the date of receipt of the fee or proof of ID. If the request is complex it’s possible to extend the time limit by two months but you must explain this to the requester.
Accidental disclosure of personal data to third parties
As with any data breach your first responsibility is to consider if the disclosure of information poses a likely risk to the rights and freedoms of individuals. If there is a risk, you must report the matter to the Information Commissioner.
If incorrect information is released as a result of a breach it may remove any risk to individuals (for example by making identification impossible) meaning there may not be a need to report it. On the other hand it could increase the risk to individuals, triggering your internal procedure for reporting data breaches that will involve contacting the ICO and affected individuals. Each case must be considered on its facts.
Correcting personal data that has been shared with other parties
Unless the exercise would be disproportionate, when you have disclosed inaccurate or incomplete personal data to third parties you must inform them when you rectify that information and provide details of the new data.