GDPR (General Data Protection Regulation) is the EU’s new legal framework that will replace the EU Data Protection Directive in May 2018. While the directive is merely a recommendation, GDPR carries the force of law.
The purpose of GDPR is similar to today’s Data Protection Directive. The regulation is designed to protect EU citizens’ personal data by defining how organizations process, store, and destroy it.
The law also gives individuals control of how companies can use information that is directly relatable to them personally and provides eight specific rights. Some of these rights are new; some are stronger versions of rights that exist under the EU Data Protection Directive. In GDPR, these rights are called the “Rights of Data Subjects.”
Data subjects are the opposite of “data objects”: they are not passive entities who have no option but to accept whatever happens to their personal data. They are independent owners of their data and determine how the data is used.
Below we highlight the individual rights granted by the GDPR, explain what they mean in practice, and describe how your organization can adapt.
THE 8 GDPR RIGHTS | GDPR ARTICLES | WHAT DOES IT MEAN TO INDIVIDUALS? | HOW TO ADDRESS IT IN MY ORGANISATION? |
Right to Be Informed | 12, 13, 14 | Before data is collected, a data subject has the right to know how it will be collected, processed, and stored, and for what purposes. | Create easy-to-read policies that provide explicit details on what information is being stored on an individual—and how it will be used. Ensure all data collection processes place informing the user before the collection of data. |
Right to Access | 12, 15 | After data is collected, a data subject has the right to know how it has been collected, processed, and stored, what data exists, and for what purposes. |
Implement a process and the technical capabilities to: a) track all data relating to the requestor in your systems, These processes could involve considerable manual efforts that divert your staff from other critical projects. You can simplify the work by automating these processes and implementing access logging. When transferring information either to the data subjects or third parties, make sure its secure by using secure managed file transfer. |
Right to Correction (“Rectification”) | 12, 16 | A data subject has the right to have incorrect or incomplete data corrected. |
Implement a process and the technical capabilities to: a) vet a right to access request, As this also applies to data your organization passed on to third parties, you need a process to securely inform them of the correction. Support your implementation by automating processes and using secure managed file transfer. |
Right to Erasure (Right to Be Forgotten) | 12, 17 | A data subject has the right to have personal data permanently deleted. |
Implement a process and the technical capabilities to: a) track all data relating to requestor in your systems, In addition, implement processes and technical capabilities to:
Define a highly automated, secure process to vet incoming Right to Erasure requests, inform processors of Right to Erasure requests, erase data in response to Right to Erasure requests, and to automatically erase data that is no longer required, such as after legal retention periods end. |
Right to Restriction of Processing | 12, 18 | A data subject has the right to block or suppress personal data being processed or used. |
Implement a process and the technical capabilities to: a) track all data relating to requestor in our systems, Define an automated and secure process to vet incoming Right to Restriction of Processing requests, inform processors of the requests, and to restrict (pause) the processing of data. |
Right to Data Portability | 12, 20 |
A data subject has the right to move, copy, or transfer personal data from one data controller to another, in a safe and secure way, in a commonly used and machine-readable format. Wherever technically possible, this also includes the right to have the data transferred directly from one controller to another without the data subject having to handle the data. |
Implement a process and the technical capabilities to: a) track all data relating to requestor in your systems, Automate and secure the process of vetting incoming Right to Data Portability requests, and providing the requestor with access to a corresponding data package. |
Right to Object to Processing | 12, 21 |
A data subject has the right to object to being subject to public authorities or companies processing their data without explicit consent. A data subject also has the right to stop personal data from being included in direct marketing databases. |
In effect, a combination of the processes and technical capabilities for restriction, limitation, and erasure described above will suffice. Using automation and secure file transfer, define a process to vet incoming Right to Object to Processing requests, and to inform processors of the request. |
Right to Not Be Subject to Automated Decision Making | 12, 22 | A data subject has the right to demand human intervention, rather than having important decisions made solely by algorithm. |
Inform people that they will be subject to algorithmic decision-making and that they can opt out of it. Implement a process and the technical capabilities to: a) track all data relating to requestor in our systems, Assist your implementation by defining a process to vet incoming Right to Not Be Subject to Automated Decision Making requests, to inform processors of the request, and to pull together an information package to be used for the human decision-maker. |
Rights of Data Subjects, such as the Right to Access, are normally exercised by individuals—the data subjects themselves.
In some legal contexts, such as law enforcement or security situations, the right of the data subject is replaced by the requirement of a supervisory authority to monitor or regularly audit the data processing to perform oversight.
The basic underlying requirement is the same in both cases: you must be able to vet an incoming request and satisfy the request for information, erasure, etc.
Fortra solutions can support you in your mandatory implementation of Rights of Data Subjects processes. Our solutions aid your implementation by providing robust capabilities for process automation, access logging, and secure file transfer.
1) Process Automation
The Rights of Data Subjects require you to define and document a corresponding business process. Automation allows you to streamline those processes, ensuring high efficiency and providing a consistent response to these service requests.
Most of these processes will consist of manual elements and automated or automatable elements. For example, the vetting of an incoming Right to Access request may include a manual verification of ID documents. Fortra offers solutions that can help you create such hybrid manual-automatic processes, including Automate, Webforms, and Sign Here.
2) Access Logging
The Right to Access means you must provide, on request, information about which personal data was collected and how it was changed and read after the initial data collection. To capture this information, manual processes are insufficient. In addition to clearly documenting your data flows, you need to automatically log accesses to personal data and to be able to query that information.
Fortra offers solutions to capture and log different data access. For the IBM i world, we offer logging and reporting capabilities in our data security solutions Powertech Exit Point Manager for IBM i, Powertech Command Security for IBM i, Powertech Authority Broker for IBM i, Powertech Compliance Monitor for IBM i, and Powertech Database Monitor for IBM i. Logging capabilities are also built into our managed file transfer solution GoAnywhere MFT.
3) Secure File Transfer
Implementing Rights of Data Subjects processes requires you to move data securely from point A to point B. A Right to Access process, for instance, requires you to provide the requestor with a package of all the personal data that you have gathered on her, as well as on how that data was subsequently processed and accessed.
As this collection itself represents personal data, the same safeguards apply as to the originally gathered data, including the need to protect this information at rest and in transit.
Providing such a package may also require data to first be pulled together from different departments inside your organization, or even from different companies within the enterprise, before being assembled into a single package to be provided to the customer.
Our solution GoAnywhere Managed File Transfer provides you with the capability to transfer or make accessible such sensitive information packages in a secure manner. In addition, thanks to the automation capabilities of GoAnywhere MFT, you can also integrate the provision of data into a more complete Right to Access workflow built on Fortra automation solutions mentioned above.
To learn more about GDPR and the rights of data subjects, see these useful resources:
- The full text of GDPR in 24 languages
- Article 29 working group guidelines on data portability
- The European Data Protection Supervisor on rights of data subjects
Take the Next Step
Contact the GDPR professionals at Fortra for a free 30-minute consultation. We’ll help you determine what you need to do next to get ready for GDPR.