GDPR: Understanding the 8 Rights of Data Subjects

Find out what these new rights mean for your organisation

GDPR (General Data Protection Regulation) is the EU’s new legal framework that will replace the EU Data Protection Directive in May 2018. While the directive is merely a recommendation, GDPR carries the force of law. 

The purpose of GDPR is similar to today’s Data Protection Directive. The regulation is designed to protect EU citizens’ personal data by defining how organizations process, store, and destroy it. 

The law also gives individuals control of how companies can use information that is directly relatable to them personally and provides eight specific rights. Some of these rights are new; some are stronger versions of rights that exist under the EU Data Protection Directive. In GDPR, these rights are called the “Rights of Data Subjects.”

Data subjects are the opposite of “data objects”: they are not passive entities who have no option but to accept whatever happens to their personal data. They are independent owners of their data and determine how the data is used. 

Below we highlight the individual rights granted by the GDPR, explain what they mean in practice, and describe how your organization can adapt.

Right to Be Informed 12, 13, 14 Before data is collected, a data subject has the right to know how it will be collected, processed, and stored, and for what purposes. Create easy-to-read policies that provide explicit details on what information is being stored on an individual—and how it will be used. Ensure all data collection processes place informing the user before the collection of data.
Right to Access 12, 15 After data is collected, a data subject has the right to know how it has been collected, processed, and stored, what data exists, and for what purposes.

Implement a process and the technical capabilities to:

a) track all data relating to the requestor in your systems,
b) vet a right to access request, and
c) provide that information to the requestor.

These processes could involve considerable manual efforts that divert your staff from other critical projects. You can simplify the work by automating these processes and implementing access logging. When transferring information either to the data subjects or third parties, make sure its secure by using secure managed file transfer.

Right to Correction (“Rectification”) 12, 16 A data subject has the right to have incorrect or incomplete data corrected.

Implement a process and the technical capabilities to:

a) vet a right to access request,
b) correct the data, and
c) confirm correction to the requestor.

As this also applies to data your organization passed on to third parties, you need a process to securely inform them of the correction. Support your implementation by automating processes and using secure managed file transfer.

Right to Erasure (Right to Be Forgotten) 12, 17 A data subject has the right to have personal data permanently deleted.

Implement a process and the technical capabilities to:

a) track all data relating to requestor in your systems,
b) vet a right to erasure request,
c) erase all data in the request, and
d) confirm that erasure to the requestor.

In addition, implement processes and technical capabilities to:

  • Automatically delete data after a determined retention period, unless the data is still required.
  • Inform other processors to whom data was passed of the request.
  • Receive a right to erasure request from another data controller or processor, and to perform it.

Define a highly automated, secure process to vet incoming Right to Erasure requests, inform processors of Right to Erasure requests, erase data in response to Right to Erasure requests, and to automatically erase data that is no longer required, such as after legal retention periods end.

Right to Restriction of Processing 12, 18 A data subject has the right to block or suppress personal data being processed or used.

Implement a process and the technical capabilities to:

a) track all data relating to requestor in our systems,
b) vet a right to restriction of processing request,
c) pause processing without erasing the data, and
d) confirm the restriction in processing to the requestor.

Define an automated and secure process to vet incoming Right to Restriction of Processing requests, inform processors of the requests, and to restrict (pause) the processing of data.

Right to Data Portability 12, 20

A data subject has the right to move, copy, or transfer personal data from one data controller to another, in a safe and secure way, in a commonly used and machine-readable format.

Wherever technically possible, this also includes the right to have the data transferred directly from one controller to another without the data subject having to handle the data.

Implement a process and the technical capabilities to:

a) track all data relating to requestor in your systems,
b) vet a right to data portability request,
c) transfer data to another controller or else the requestor securely, and
d) confirm the transfer to the requestor.

Automate and secure the process of vetting incoming Right to Data Portability requests, and providing the requestor with access to a corresponding data package.

Right to Object to Processing 12, 21

A data subject has the right to object to being subject to public authorities or companies processing their data without explicit consent.

A data subject also has the right to stop personal data from being included in direct marketing databases.

In effect, a combination of the processes and technical capabilities for restriction, limitation, and erasure described above will suffice.

Using automation and secure file transfer, define a process to vet incoming Right to Object to Processing requests, and to inform processors of the request.

Right to Not Be Subject to Automated Decision Making 12, 22 A data subject has the right to demand human intervention, rather than having important decisions made solely by algorithm.

Inform people that they will be subject to algorithmic decision-making and that they can opt out of it. Implement a process and the technical capabilities to:

a) track all data relating to requestor in our systems,
b) vet an Article 22 request,
c) revert the algorithmic decision, and
d) provide all information to a human decision-maker.

Assist your implementation by defining a process to vet incoming Right to Not Be Subject to Automated Decision Making requests, to inform processors of the request, and to pull together an information package to be used for the human decision-maker.

Rights of Data Subjects, such as the Right to Access, are normally exercised by individuals—the data subjects themselves. 

In some legal contexts, such as law enforcement or security situations, the right of the data subject is replaced by the requirement of a supervisory authority to monitor or regularly audit the data processing to perform oversight.

The basic underlying requirement is the same in both cases: you must be able to vet an incoming request and satisfy the request for information, erasure, etc. 

Fortra solutions can support you in your mandatory implementation of Rights of Data Subjects processes. Our solutions aid your implementation by providing robust capabilities for process automation, access logging, and secure file transfer.

1)    Process Automation

The Rights of Data Subjects require you to define and document a corresponding business process. Automation allows you to streamline those processes, ensuring high efficiency and providing a consistent response to these service requests. 

Most of these processes will consist of manual elements and automated or automatable elements. For example, the vetting of an incoming Right to Access request may include a manual verification of ID documents. Fortra offers solutions that can help you create such hybrid manual-automatic processes, including Automate, Webforms, and Sign Here.

2)    Access Logging

The Right to Access means you must provide, on request, information about which personal data was collected and how it was changed and read after the initial data collection. To capture this information, manual processes are insufficient. In addition to clearly documenting your data flows, you need to automatically log accesses to personal data and to be able to query that information. 

Fortra offers solutions to capture and log different data access. For the IBM i world, we offer logging and reporting capabilities in our data security solutions Powertech Exit Point Manager for IBM i, Powertech Command Security for IBM i, Powertech Authority Broker for IBM i, Powertech Compliance Monitor for IBM i, and Powertech Database Monitor for IBM i. Logging capabilities are also built into our managed file transfer solution GoAnywhere MFT.

3)    Secure File Transfer

Implementing Rights of Data Subjects processes requires you to move data securely from point A to point B. A Right to Access process, for instance, requires you to provide the requestor with a package of all the personal data that you have gathered on her, as well as on how that data was subsequently processed and accessed. 

As this collection itself represents personal data, the same safeguards apply as to the originally gathered data, including the need to protect this information at rest and in transit. 

Providing such a package may also require data to first be pulled together from different departments inside your organization, or even from different companies within the enterprise, before being assembled into a single package to be provided to the customer. 

Our solution GoAnywhere Managed File Transfer provides you with the capability to transfer or make accessible such sensitive information packages in a secure manner. In addition, thanks to the automation capabilities of GoAnywhere MFT, you can also integrate the provision of data into a more complete Right to Access workflow built on Fortra automation solutions mentioned above.

To learn more about GDPR and the rights of data subjects, see these useful resources:

Take the Next Step

Contact the GDPR professionals at Fortra for a free 30-minute consultation. We’ll help you determine what you need to do next to get ready for GDPR.