Finally, for Course 7 on rights. We're going to talk about the final three here: automated decision-making, portability, and just managing general complaints. Same information applies again: the general rights, free, one calendar month. All the same sort of thing that you see under the GDPR. Then again, we've got the same sorts of rights here. We're going to focus this time on automated decisions, portability, and restriction. I have to exam questions around here. Again, these are limited rights. What I mean by limited rights, again, is these are rights that only apply in certain circumstances. We're going to talk a little bit about automated decision-making. In fact, it is of worth me just explaining a little bit about what automated decision-making is. All we're talking about here is a computer trying to make a decision about you, trying to put you in a bucket or put you in a category or say a yes or no or how much. This could be an example as simple as car insurance when you type in some details about yourself and it tells you, you could have car insurance, or how much you it'll be. A bank loan, for example. It could be CV scanning, you put a CV in and you type some criteria into a computer and it tells you what CVs meet those criteria or it could be something a little bit more like deciding what categories people fall into for the purposes of advertising or surveillance capitalism or marketing, or algorithms that might be doing big data analysis and trying to decide what categories people fall into or what they display to who. Generally speaking, an automated decision-making it's a computer doing some algorithm taking some decision that will affect you in some way. What does the GDPR say about it? Well, it says that the individuals should have the right not to be subject to algorithms or not to be subject to a decision based just on the computer, which produces some effect on the individual. The idea is that you alone does not have to be responsible, the computer alone cannot take that decision. Which means you have two rights, it's actually two rights here. One is to understand the logic of that decision-making processing. By the way, when we say on-demand the logic, we're not saying that the provider has got to explain the algorithm in great detail. It could be the fact of, "Well, do you know what? You said you had 60K in the bank, if you said you had 80K in the bank, we would have given you the mortgage." Effects then why perhaps. You need not to give out the commercial secrets of your algorithm, but just say, "If you were to set something different on the input, the output would have been quite different as well." You have to give them some understanding about what the logic is. CVs scanning, for example, I might say, "Well, why didn't I get the job?" They say, "Well, we put in a search for data protection officer but you described yourself as a privacy expert or privacy guru or something equally as ridiculous. So because we typed in data protection officer, privacy expert that didn't come out because that wasn't our search." Then you can say, "Okay. Well, can I have a human being have a look at that then? The computer said no, thank you for explaining the logic because I've got the right not to be solely subjected to computer making that decision about me, the computer can't say no, can a human being have a look at that decision?" This is going to be increasingly used, I think with these algorithmic decisions. We're seeing big data, we're seeing algorithms, or say in AI. We're seeing computers discriminating against people, and I said you don't mean that in a negative way. When somebody takes a decision and puts one person in one category or excludes someone from a category, that's discrimination. It's only bad discrimination if you like, if it's based on race or sexuality or ethnicity or something of that kind. We actually allow computer-based discrimination all the time. The computer might give you a different price depending on what country it thinks you're from or what software you're using. We actually do allow discrimination, but of course, not in a way that will disadvantage certain groups. The next one to consider then is portability. Portability is an odd one, it's more of a competition law right than a data protection rights. It's a bit like data subject access requests, but it's about sending data onto another controller rather than to the individual. Basically what they realized is in Europe is that people weren't changing providers. People weren't comparing mobile phones or banks or energy providers. They weren't moving around the market, therefore, people weren't getting the best deals. That's bad for competition. So how do we make it easy for people to change providers? The answer to that is to make it easy for their data to move from one provider to another. The right to portability is you writing to one provider and saying, "Hey, send my data to your competitors." If you're with a bank, it's, "Hey bank, here's my information, give it to your competing bank so I can much more easily manage that transition. I can already have all my debits sets up and withdrawals and deposits set up because you'll be taking my data and removing it from one bank to another." Now, clearly you can see how some providers would like you to leave them, make it hard for you to leave them. There are some conditions to this, there are some reasons to this. The first one is about legal basis. The first condition is that it must be a contract or consent, which makes sense. You're in a commercial situation here. The contractual necessity is a legal basis, makes perfect sense to me. The second one, the data must be commonly held machine-readable format. Now, what's a commonly held machine-readable format? I think it excludes manual data, you can represent paper-based files to your competitor. Basically, it's got to be in a way that your competitor can read that computer file and understand it and use it. A commonly held machine-readable format, to me that would be more even like an Excel file because that's the Microsoft format, would have to be a CSV or an XML, or something that multiple machines could read and use rather than view, you try to make it harder for your competitors. The final bit of information here is only the data received from the data subjects. I think what that means is you don't have to give away your trade secrets again, the writer portability. If you've added value to that data somehow if you've say added your algorithm or purchased some data and added it to enrich the data somehow, you don't have to send that to your competitor and give them that advantage. It's only the data the data subject has given you. Only the data the data subject have given you. The data subject writes to you and they say, "Hey, I'd like to send my data to the other provider in electronic format, send it over to the third party. I'm going to do all the same things you do on a normal subject access requests. Look for exemptions perhaps, and verify their ID, can be free of cost again, very limited use right, but I see a lot of exam questions about it. What are each stage of portability, sending it to another provider, contract or consent, commonly held machine-readable format, only data received from the data subject. Again, GDPR right. We don't see it too often in other provisions around the globe. In fact, some of these restricted rights, we really only see transparency access. Sometimes the right to prevent direct marketing. Sometimes even that someone opts out rather than an opt-in basis. Some of these are purely GDPR rights. The final one here we're going to talk about restriction, sometimes known as purpose suppression. But this is your do not use or do not email. Could be used as an alternative to deletion. The idea, of course, is you've made a complaint, you say I'm not happy with the way you're processing my sets of data. But now we need to lead to, I don't want to leave your service. I don't want erasure. Well, I just want you to see some mark down. This is hurting me. That the data is inaccurate, perhaps. Therefore, don't use it while we're having the argument, while we're having the discussion, while we're putting it right. Put it on a do not use list. Suppress the purpose, if you like. With the most famous purpose of suppression I suppose would be to suppress it for direct marketing, add it to the do not market list. But there could be other lists. Do not use it for x or do you not use it for y purpose. I'm okay with using it for A, but not for B. Restriction is a really interesting one to talk about. Finally, we just want to talk about the complaints process. I actually think most of these rights requests you can solve for being nice to your customer. Quite often, if an individual does complain for the regulator, the regulator will often turn around and say, "Well, have you taken up with the organization? Have you given the organization a chance to fix it before you've stepped in where you're size nines and before we go into the regulator, did you give the organization a chance to fix this? They will need you always before you go to regulator. The regulators are dropping out of thin air. Generally speaking, you'll have some forewarning. You will have the chance to speak to your customer and be nice to your customer. I think actually, data protection can also be well handled as another line of defense within your complaints situation. Where did you get your complaints from? I like to deal with the accuracy of data. I like to deal with the people who you might give data to. Where did you get your complaints from? Who makes them? It's worth the data protection team or privacy team really gets into grips with the complaints, work it out. How many of those requests have to do with unsolicited direct marketing or how many of those complaints have to do with data subject access requests, for example, or incorrect data? Can we do something to stop them from even going to the regulator? Such as giving them some renumeration or redress or discounts or something that says, "Hey, we appreciate we messed up here. We'll sort it out for you." Because if you do it and if you get it right in accordance to their request, well, the regulator can then make you do it because you've taken the right action, you've solved it. Look after your customer. I think that's my parting shots here with rights. Be nice to your customer. If you're nice to your customer, then at the end of the day, if you've got happy customers that you're dealing with in a way that is fair and equitable and you're managing the data in line with our expectations, well, the regulator should never have to be involved. That's as far as we're going to go on a rights request in the CIPM course. We're going to talk in the next section, we're going to talk about training and awareness. Training and awareness is Section 8. I look forward to seeing you there.
