With the emergence of privacy laws, like the GDPR, that aim to protect our privacy both online and off, it is important to understand what data subject rights your customers will expect your business to respect. This emergence has brought with it new regulations which need to be followed by all organizations, but it has also solidified a new group of rights to be applied to all individuals subject to each regulation. Today we’re going to look at the Data Subject Rights under the General Data Protection Regulation so that we can better understand these rights as business owners.
You hear the term “data subject” thrown around quite frequently when discussing global privacy laws and regulations. This term refers to the individual from whom personal information is collected. The data subject is anyone whose information is collected, stored, and or processed by an organization. This data subject has a number of rights associated with the collection of their personal data.
Transparency is fundamental to the GDPR, which is reflected adequately in this first right designating organizations with the obligation to provide transparent information to the data subject when requested. This information includes exactly what information is processed, the purpose of data processing, data retention periods, and any information about to whom the personal information is shared.
Further to the transparency of the first right, this right ensures that the data subject has the opportunity to access and view the data that is being processed. Data subjects can also request copies of their personal data. This, according to the ICO, is what is commonly referred to as a Subject Access Request.
Under the GDPR, the data subject is given the right to request modifications to his or her data if they believe there are inaccuracies associated or inconsistencies found. In that, a data subject can have incomplete records completed. Right to Rectification requests are handled in the same way that Subject Access Requests are handled and are to be responded to without undue delay and within one month of receipt.
Often in GDPR language, you will see that if consent is freely given, it must also be freely revocable. This right ensures that the data subject is able to freely revoke consent at any time for the processing of their data. Once that consent is revoked, the organization must stop its processing activities so long as processing is based on that consent and there is no other lawful reason for processing.
Also known as the “Right to be Forgotten,” this right provides data subjects with the ability to have their data erased. Unfortunately, this is not an absolute right, and there are some situations where the right to erasure should be denied, such as with legal investigations or governmental responsibility. According to The ICO, the right to erasure applies when:
Under certain circumstances, a data subject can object to the processing of his or her personal data at any time, preventing the organization from using their information. The strongest objection that a data subject can make is to the use of their personal data for direct marketing purposes. For whatever reason, if a request is successful, the organization must stop all processing activities. The organization still has the right and ability to store the individual’s data.
This right is closely related to the Right to Object because as soon as this right is exercised, an organization must stop processing an individual’s data. This right is also only exercised under certain circumstances and can be made by request verbally or in writing. In this way, an individual can restrict the way that an organization processes their data, usually because they have issues with the exact information held, such as in contesting the accuracy or the way it is processed.
The GDPR has put together provisions on automated decision-making and profiling based solely on automated means without human involvement. In this, data subjects are given the right to object to decisions that are made without human involvement. If a decision is made that an individual disagrees with, they can make a request to have a manual decision made unimpeded by automated profiling and decision making.
Data subjects have the right to receive their data in a structured, commonly used, machine-readable format. They are also given the right to have their data transferred to a controller of their choice. This right affords data subjects the freedom to have and reuse their data for their own purposes.
Subject access requests are usually put forth by the data subject themselves or by an organization on their behalf. To process these requests, the identity of the data subject must first be authenticated, and a response made to the data subject or organization who made the request. Requests must be handled and or responded to without undue delay and within one month of the request with a potential extension period of up to two additional months.
Business owners need to consider their business’ current security systems and data protection frameworks. Securicy helps organizations establish a robust, comprehensive, and effective security program and implement the necessary data protection controls in their business.
With automated compliance checks, you can quickly evaluate your current information security framework and prioritize the gaps that may put the company at risk of not complying. Securicy can assist you with compliance with various frameworks such as SOC 2, HIPAA, ISO 27001, and GDPR. Build a robust data protection framework for your business by booking a demo with Securicy today.
One easy thing you can do to get started now? Check out our free “GDPR for Beginners” eBook, which includes a 10-item checklist to help you get GDPR compliant now.