In the modern age, data is king. With every click, swipe, and tap, we generate data that is collected, analyzed, and used by companies for various purposes. However, with this data collection comes responsibility – the responsibility to ensure that individuals have control over their personal data. That’s where the General Data Protection Regulation (GDPR) comes in. The GDPR gives data subjects specific rights to their personal data. These data rights include obtaining copies of it, requesting changes to it, restricting the processing of it, deleting it, or receiving it in an electronic format so it can be moved to another controller. In this article, we’ll explore these data subject rights in detail and discuss why they are essential in the age of big data.
What are data subject rights?
The GDPR details eight data subject rights which grant individuals greater control over their personal data. These rights enable individuals to exercise authority over the collection, processing, and use of their personal information. Essentially, data subject rights establish a set of regulations governing the rights of individuals regarding their personal data.
The 8 data subject rights under GDPR
Under the General Data Protection Regulation (GDPR), individuals have specific rights regarding their personal data. These rights are known as data subject rights, and they include the following:
1. Right to be informed
The right to information allows individuals (data subjects) to know what personal data is collected about them, why, who is collecting data, how long it will be kept, how they can file a complaint, and with whom they will share the data.
2. Right to access
The data subject’s right to access their personal data is described in Article 15 of the GDPR. In short, data subjects have a right to know:
If you have any of their personal data
The purpose of the processing
The categories of personal data concerned
The recipients or categories of recipients to whom the personal data has been or will be disclosed
The envisaged period for which the personal data will be stored, or if not possible, the criteria used to determine that period
The existence of the right to request rectification or erasure of personal data or restriction of processing of personal data or to object to such processing
The right to lodge a complaint with a supervisory authority
The source of the personal data, if not collected from the data subject
3. Right to rectification
The right to rectification allows individuals to correct inaccurate or incomplete personal data. If an organization or service provider holds incorrect or incomplete personal data, the data subject can request that the organization rectify it.
4. Right to erasure
The right to erasure, also known as the right to be forgotten, allows individuals to request that their personal data be erased. However, this right is not absolute and only applies in certain circumstances, such as when the personal data is no longer necessary for the purpose for which it was collected or when the data subject withdraws their consent.
5. Right to restrict processing
The right to restrict processing allows individuals to request that the processing of their personal data be restricted. This means the organization can store personal data but only use it for any other purpose once the restriction is lifted.
6. Right to data portability
The right to data portability allows individuals to receive their personal data in a structured, commonly used, and machine-readable format. They can then transfer the data to another controller or have the controller transmit the data to another controller where technically feasible.
7. Right to object
The right to object allows individuals to object to the processing of their personal data in certain circumstances. For example, if an organization uses personal data for direct marketing purposes, the data subject can object to this processing.
8. Rights related to automated decision-making and profiling
The right to rights related to automated decision-making and profiling includes the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly significantly affects them.
How to implement data subject rights
According to the General Data Protection Regulation (GDPR), it is the responsibility of data controllers to fulfill the rights of data subjects. At the same time, processors are required to provide support in this matter. To ensure that organizations comply with these regulations, they can take specific steps to ensure they are fulfilling the requirements.
These steps may include implementing proper data management procedures, providing clear and concise privacy policies, regularly reviewing and updating data protection measures, and ensuring all employees are appropriately trained on GDPR compliance. By following these steps and staying vigilant in their efforts to protect personal data, organizations can ensure they are operating under GDPR guidelines and protecting the rights of their data subjects.
Develop a process for receiving and handling data subject requests
Organizations should have a clear process for receiving and handling data subject requests. This process should include steps for verifying the data subject’s identity and responding to the request within the required timeframe.
Educate employees about data subject rights
Employees who handle personal data should be educated about data subject rights and how to respond to data subject requests. This education should include information about the organization’s data protection policies, procedures, and responsibilities under data protection laws.
Training should cover key areas such as:
The types of personal data the organization collects, processes, and stores
The purposes for which the organization collects and processes personal data
The rights of data subjects under data protection laws, such as the right to access, rectify, and erase their personal data
The organization’s data subject request process, including how to identify and verify data subjects and how to respond to requests within the required timeframe
The potential consequences of non-compliance with data protection laws, such as fines and reputational damage
Implement appropriate technical and organizational measures
Organizations should implement appropriate technical and organizational measures to ensure the security of personal data. This includes measures such as:
Pseudonymization and encryption of personal data
Regular backups of data
Access controls and restrictions
Regular security testing and vulnerability assessments
Incident response and data breach procedures
Conduct a Data Protection Impact Assessment (DPIA)
Organizations should conduct a data protection impact assessment (DPIA) before carrying out any high-risk processing activities. A DPIA is a process that helps organizations identify and mitigate the data protection risks associated with a particular project or activity.
A DPIA should be carried out when:
Processing is likely to result in a high risk to the rights and freedoms of data subjects
Processing involves the use of new technologies
Processing involves profiling or automated decision-making
Processing involves the systematic and extensive evaluation of personal aspects relating to natural persons based on automated processing
Appoint a Data Protection Officer (DPO)
Under the GDPR, some organizations are required to appoint a data protection officer (DPO). A DPO is responsible for advising the organization on its data protection obligations, monitoring compliance with data protection laws, and acting as a point of contact for data subjects and supervisory authorities.
Even if your organization is not required to appoint a DPO, it may be beneficial to do so as part of your GDPR compliance efforts. A DPO can help ensure that your organization’s data protection policies and procedures align with GDPR requirements and can provide guidance and support to employees who handle personal data.
Handling data subject requests (DSRs)
Data controllers must handle data subject requests on time and provide a supplementary statement explaining their legal basis for processing the data subject’s personal data. They must also provide access to the data subject’s personal data free of charge, although a reasonable fee may be charged if the request is unfounded, excessive, or repetitive.
Data controllers must also ensure that the personal data they hold is accurate and up to date. If a data subject contests the accuracy of their personal data, the controller must restrict processing until the accuracy is verified.
Data controllers must also delete data if it is no longer needed for its original processing purpose or if the data subject withdraws their consent. In some cases, data controllers may be required to delete data even if the data subject has not requested it, such as when the processing of personal data poses a high risk to the rights and freedoms of the data subject.
When handling data subject requests, data controllers must also consider the impact of their processing activities on the data subject’s rights and freedoms. Suppose the processing operation will likely result in a high risk to the data subject’s rights and freedoms. In that case, the data controller must conduct a data protection impact assessment (DPIA) to assess the risk and take appropriate measures to mitigate it.
Ensuring data protection is a top priority for data controllers, and respecting data subject rights is a critical step in achieving this goal. By providing data subjects with the necessary information and resources, trust can be established with customers, and compliance with GDPR regulations can be achieved. Data controllers must have a comprehensive understanding of the different types of data subject rights and how to handle their requests to achieve their objectives while safeguarding personal data.