25. Juni 2018 - Importance and implementation

General Data Protection Regulation: data accuracy in practice

Data accuracy is one of the central principles of data processing in the General Data Protection Regulation (GDPR). The principle is not new. However, as the new legislation takes effect, it has now become more important than ever. This is because violations are subject to fines. What does data accuracy specifically entail?

Was ist unter Datenrichtigkeit genau zu verstehen? A correct database is just as important for the controller as for data subjects, especially where companies use data as the basis for decision-making, such as (credit) scoring or profiling (Image: / peterhowell)

Data accuracy is ensured if the data stored about specific persons properly and truthfully reflect facts about their personal and material circumstances in relation to the specific purpose of processing (!).

In the context of the company’s applicant management system, this is the case if data about applicants, their education experience, advanced training and personal circumstances is correctly and truthfully recorded, and a hiring decision is made on this basis.

The purpose of processing is also important. It makes a difference whether data is processed for marketing purposes or for performance of contract.

For example, the string of numbers 0123456 is correct when used for a telephone number in the „Contact details“ field. The same sequence is incorrect if used for the account number for incoming payments.

What does data accuracy mean?

The principle of data accuracy can be subdivided into three aspects: data correctness, currency and completeness.

First aspect: Data correctness

The first aspect pertains to factual correctness. This means that the data must be factually correct in relation to the purpose of processing.

The data must accurately represent the data subject, his / her relationship with the controller and his / her circumstances.

Data accuracy is also connected to the authenticity of data. The data must be clearly attributed and linked to the data subject. This is especially important for multiple data records with multiple data subjects.

Second aspect: data currency

Data that is no longer up to date, such as an outdated address, is also inaccurate. In other words, data must be kept up to date. The time of evaluation is the fundamental point of reference.

This also applies to data that loses its legal significance after a certain period of time, such as in the case of employee warning notices. However, if new data is added, existing data does not automatically become out of date.

At the same time, this does not constitute a free pass for stockpiling data: The reason for storage must still be legitimate and highly plausible, and not merely possible.

If data records have already been stored for some time (unchanged) and new data is added, it is advisable to check that the data is up to date. The same applies to data histories such as backups. Such histories must also be kept up to date in order to satisfy other obligations.

The frequency of in-house backups should reflect the frequency of data changes. For example, in banking, data related to posting and payment transactions changes very frequently. In this case, more frequent backups are recommended (daily, weekly or monthly).

Third aspect: Data completeness

Data is also inaccurate if it is incomplete and therefore unsuitable for fulfilling a processing purpose. In e-commerce, this would apply to missing payment data, for example.

Data is assumed to be incomplete if misunderstandings or misconceptions can arise in the context of data processing. For example, if data is missing about a receipt of payment that was actually correctly entered, misunderstandings can arise regarding the customer’s willingness to pay.

In this case, for each processing activity, controllers must predefine factors that are crucial to achieving a correct result in relation to the purpose.

The controller must therefore determine the factors (e.g., number of account changes, payment patterns, place of residence) that will lead to a complete and correct result.

It is helpful to name data records specifically and to clarify their meaning. Notes about currency in files are also helpful. Documentation of processing activities (Art. 30 GDPR) is also a good basis for later audits.

It must fully document the data involved as well as the types and categories of data that are the subject of the processing activity.

Data accuracy in big data analytics

Data accuracy is important when large amounts of data are analysed. Incomplete (raw) data leads to incorrect analysis results. In this case, plausibility checks or algorithms can, at least partially, help to filter out and exclude incorrect data records.

The longer a data processing activity takes and the more extensive it is, the greater the risk of using incorrect data. Further data protection principles come into play here, including data minimisation and storage limitation.

In concrete terms: Has the controller established a suitable erasure plan? Does the controller regularly check individual data records for redundancies?

Can the correctness of data always be assessed?

There are cases where the accuracy of data is difficult or impossible to assess objectively. This is the case for evaluations and judgements.

Basically, only facts („data subject is male“) allow for an objective review and correction, whereas value judgements („subject looks male“) do not. This can lead to problems in safeguarding the rights of subjects.

The underlying facts of an evaluation or judgement are the most important factor. For example, medical diagnoses are scientifically substantiated, but they are subjective evaluations or assessments of health conditions.

However, these diagnoses have a factual, objective basis in medical science and can be reviewed and corrected.

CAUTION: Separate storage and/or labelling is useful, especially when processing sensitive data. This allows for faster allocation, for example when access to information is requested.

It should be noted, however, that often neither accuracy nor inaccuracy can be proved through evaluations and assessments. The result: The controller must restrict processing.

Obligation of review and rectification

In principle, the GDPR does not require a proactive review of data records. However, the controller must take action upon becoming aware of incorrect data.

If the controller becomes aware of (potentially) incorrect data, e.g. after being notified by the data subject, the controller must immediately review the issue. If it turns out that the data is in fact inaccurate, it must be rectified, augmented or deleted.

If the data turns out to be factually correct, complete and up-to-date in relation to the processing purpose, the data subject should be informed of this decision and the case closed.

In cases where, after extensive review, neither the accuracy nor the inaccuracy can be determined, the data must be flagged as „non-verifiable“ for processing, blocked and separated during data management.

IMPORTANT: If a data subject disputes the accuracy, the controller must review the issue as soon as possible, but within no later than one month (recital 59).

Notification and communication obligations

If the controller has corrected, erased or restricted the processing of data, Article 19 of the GDPR includes a notification obligation. According to this article, the controller must actively communicate any rectification of the data records to the recipients of the data.

Recipients may include processors, subsidiaries, service providers, database marketers or public authorities.

HINT: During data transmission, documentation of the status of a data record at a particular point in time, e.g. at the time of transmission, can later help to prove the correctness of the data at that point in time.

This also serves documentation and accountability obligations. Similarly, contractual agreements are important, especially for order processing, because they define measures for

  • Preventing inaccurate data
  • Ensuring notification in the event of discrepancies
  • Establishing the correction process

According to Article 19 sentence 2 of the GDPR, however, the data subject must be notified about the recipients of data only if the data subject requests it, and not automatically.

The controller’s notification must be made immediately, does not require any special form and can be made in writing, electronically or verbally. However, the last option is problematic for verification reasons.

It is important to ensure that the free-of-charge notification is written using precise, transparent, understandable language and in an easily accessible format.

Creating templates, i.e., ready-made text modules, in advance saves resources and reduces response and completion times.

How can data accuracy be ensured? Minimising risks and measures

The controller must define and implement measures for ensuring data accuracy that are proportional to the risk.

Rule of thumb: The greater the risks of processing, the more extensive (even cumulative) the measures needed to ensure data accuracy.

Data classifications that take into account the processing purpose help identify the risks of the processed data. Ideally, there should be a data protection impact assessment that has already analysed the risks of individual processes for specific categories of data.

The upshot: data accuracy cannot be ignored

Accurate data, including accompanying documentation and logging, is essential for data protection compliance in the organisation.

The GDPR does not present major changes with regard to data accuracy. However, especially because of the fines, the principle must now be re-examined within the company.

Kevin Marschall
Kevin Marschall, LL.M., is a research fellow at the University of Kassel specialising in data protection law. He regularly publishes and lectures on practical data protection topics.