GDPR Data Subject Rights: How to Handle the Requests

The General Data Protection Regulation (GDPR) is designed to respond to a growing concern about inappropriate use of personal data and add responsibilities for companies for their response to data breaches.

In this article, we explore GDPR data subject rights, including what a data subject access request is and how organizations can handle these requests efficiently.

What is a data subject access request (DSAR)?

Under the GDPR, individuals have certain rights that organizations (data controllers) must uphold. A data subject access request (DSAR) is the way for an individual to submit a request to exercise one or more of those rights. For example, one data subject right granted by the GDPR is the right of access by the data subject, so it enables individuals to submit DSARs to find out what personal data a particular data controller has collected about them.

The specific rights granted by the GDPR are detailed below. But in broad terms, the GDPR states that “a data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.”

What actions do we need to take when we receive a DSAR?

An individual who makes a DSAR expects to receive information on whether you are processing their personal data, a copy of that data, your privacy notice and supplementary information. You need to make sure that you have procedures in place to address DSARs promptly.

Remember that GDPR rights are not absolute; an individual’s fundamental rights have to be balanced against factors such as legitimate public interest. If you have solid grounds, you can refuse to comply with a DSAR, but you must clearly explain your reasons. You can charge a reasonable fee for the administrative costs and efforts required to reply.

Whether you choose to comply with a DSAR or refuse it, you have 30 days to respond.

What data can be requested?

The GDPR applies to personal data — any data that relates to or can be used to identify a person in any way. Examples could include the emails sent between certain people during a certain time period, all workplace data and HR records related to the individual, and the person’s medical history.

What supplementary data should be provided?

In addition to a copy of the individual’s personal data, organizations also have to provide the following information:

  • The purposes of the processing
  • The categories of personal data collected
  • The recipients or categories of recipient that personal data is disclosed to or shared with
  • How long the personal data is held
  • Advice on additional rights, such as the right to object to processing; the right to request rectification, restrict processing; and the right to lodge a complaint with the ICO or another supervisory authority
  • Where you got the data if you did not get it directly from the data subject
  • The existence of any automated decision-making
  • The security measures you provide if you transfer personal data to a third country or an international organization

You should also inform each person who makes a DSAR that they can lodge a complaint with the DPC or seek a judicial remedy. You should give contact information for your company or your data protection officer (DPO) so the person can easily communicate with the right people about any issues or further desires regarding the future of their personal data.

Which rights can individuals exercise under the GDPR?

The GDPR provides eight rights for individuals, which can be grouped into the following six categories:

What information do you hold on me and why?

The right to be informed (Articles 13 and 14). You must be honest and clear about what you do with the personal data you collect. You must respond even if you didn’t collect any personal data from the individual making the request.

The right of access (Article 15). People are entitled to know whether and how their personal data is being processed, including the categories of data collected, the purpose of the processing, whom this data is disclosed to, how long it will be stored, and where the information was obtained.

You have incorrect information about me; I want it corrected.

The right to rectification (Article 16). The GDPR requires companies to ensure that personal data is accurate and up to date, and correct it if it’s not. Individuals have the right to request that inaccurate personal data be corrected, or incomplete data be completed. You need tight integration across your all data systems and processes to ensure data updated in one system is automatically and correctly updated across all other locations too.

I don’t want you to hold data on me anymore. Please delete it!

The right to erasure (right to be forgotten) (Article 17). A person can request that an organization remove their personal information from its records and immediately cease further dissemination of the data.

The company must delete data that meets any of the following criteria:

  • Was collected unlawfully
  • Is no longer needed
  • Was collected during the person’s childhood
  • Appears online

However, the organization can deny the data erasure request if it violates any of the following:

  • The right of freedom and expression
  • Reasons of public interest in the area of public health, scientific or historical research purposes
  • The establishment, exercise or defense of legal claims

Note that even if your company is allowed to retain a person’s data, you need to get the data subject’s consent for further processing.

The right to restriction of processing (Article 18). If it is unclear whether an individual’s data must be deleted, the person can still request a temporary restriction on its processing until the company fixes the issue, informs the individual and gets their consent. Complying with this GDPR right requires case-by-case examination.

I want to transfer the information you hold on me to another service provider.

The right to data portability (Article 20). A person has the right to require a company to move their personal data to another service provider. This right promotes interoperability by facilitating the transfer of user data between data controllers. It also encourages competition between digital services, because users can switch between providers without losing their personal data.

To comply with this provision, you should provide data in a structured machine-readable format that you can transmit directly to the other provider.

Stop calling me!

The right to object to data processing activities (Article 21). Individuals can require companies to stop using their data for marketing or other purposes unless the company can provide a legitimate need for that processing. Valid reasons for refusing this DSAR could include that the request was excessive or unfounded, or that the requested data is used for public, historical or statistical purpose or for the exercise of legal claims.

Complying with this DSAR usually involves moving the data to another internal IT system.

Your automated system makes decisions that affect my legal interests.

Rights in relation to automated decision-making and profiling (Article 22). A person can object to automated processing of their data. Whenever personal data is subjected to automated decision-making and profiling, you have to provide “meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.”

The three valid reasons for performing automatic processing and profiling are:

  • The person gave their consent.
  • The processing is necessary for the entry into or performance of a contract.
  • The processing is authorized by a Union or Member state law applicable to the controller.

How can we ensure we can handle DSARs?

The best way to ensure compliance with the data subject rights detailed above is to implement the following best practices:

Know your data. It’s essential to know precisely what regulated information you have, where it resides, where it came from, whom you share it with and your purpose in processing it. Personal data can be stored in a wide range of repositories, including email, personal computers, file stores, databases and cloud-based platforms. If you have to perform a manual search for each DSAR, there’s a high risk that you will miss some relevant information or fail to meet the 30-day deadline.

Therefore, an automated data discovery and classification solution is a wise investment. These solutions scan your data repositories for regulated data and other sensitive content, sort it into categories, and tag each file with a digital signature denoting its classification. You can use the labels to tailor your data protection to the sensitivity of different data stores, and to quickly find the data you need to comply with a DSAR.

Determine the basis for consent of all data. Once you know what data you have, figure out why you store it in the first place. Having clear documentation of each subject’s consent is critical for justifying storing and processing their data. If you do not have a clear reason for storing a given piece of data, delete it.

Create rules for handling each type of sensitive data. Establishing data-centric security workflows will help you avoid costly data breaches and compliance violations. These workflows should based on careful consideration of questions such as, Where should each type of data be stored and for how long? Who should have access to which data? How may specific types of data be used?

Regularly assess your IT risks. Establish a reliable and repeated risk assessment and mitigation process to identify and prioritize the risks threatening data security. Ideally, you want to cover all risks, but in practice, you have to set priorities and protect your most important or sensitive data first. Update access rights to make sure that protected information is available only to authorized personnel and only on a need-to-know basis.

Regularly update your security policies. These policies are your evidence that your company is doing everything it can to properly store and process the personal data of customers. Whenever you modify your policies, document each change you make.

Hire a data protection officer (DPO) if necessary. If you are uncertain about personal data management, you should consult with or hire a DPO — an internal or external advisor who has responsibility for GDPR compliance. Some companies are obliged to appoint a DPO, including public authorities, companies that conduct systematic and large-scale monitoring of individuals, and companies doing large-scale processing of special categories of data, such as data related to criminal convictions and offences.

Provide an easy way for users to submit DSARs. Many companies offer online DSAR forms to ensure requests go to the correct person or department and contain the necessary information. Without such a form, customers are likely to submit their request using the first email address they find — starting the 30-day timer even though the recipient might not be responsible for anything related to GDPR compliance.

Use secure methods of authentication. You are obliged to make sure that each request is made by a legitimate person — but do not do so by requesting GDPR-protected data that you don’t already have, such as identity card numbers, passports or other official documents. Instead, a good option is verify the request by asking the person to provide some personal information you already have; as Recital 63 states, “Where you process a large quantity of information about an individual, the GDPR permits you to ask the individual to specify the information the request relates to.”

Product Evangelist at Netwrix Corporation, writer, and presenter. Ryan specializes in evangelizing cybersecurity and promoting the importance of visibility into IT changes and data access. As an author, Ryan focuses on IT security trends, surveys, and industry insights.