An Accountability Approach to Data Subject Rights: Understanding and Protecting the Rights of Individuals Under Multiple Laws
Although they have been around for almost four decades, data subject rights have recently gained attention with the advent of the EU’s GDPR and California’s upcoming CCPA. Both laws award extensive rights to data subjects.
What are data subject rights?
Data subject rights allow individuals:
1.to understand what an organisation knows about them; and
2.to restrict or change what an organisation knows about them.
This is a simple definition, and there are many different rights linked to the broader concept of data subject rights. On the one hand, there are the rights that require a data subject to make a request before an organisation has to act, and on the other hand, there are the non-request rights that organisations have to fulfill at all times.
Which data subject rights are most common?
The Right of Access:
This right allows an individual to understand which of their data are being processed. Requests can be submitted in virtually any way and in many jurisdictions a copy of the individual’s data can be obtained.
The Right to Rectification or Correction:
Based on the principle of data quality, this right enables an individual to change data. Inaccurate or incomplete data can be rectified at the request of the individual, such as a change of address or marital status. Not all information is eligible for correction, including assessment data, personal analysis, or other opinion-based data.
The Right to Deletion or Erasure:
This right allows for the removal of personal information from a database at the request of a data subject. This is not an unlimited right. Most laws prescribe use cases, such as:
- the information is no longer necessary for the purpose;
- consent for processing is withdrawn;
- the information has been processed unlawfully.
When a deletion request is received, organisations must verify whether deletion is possible and allowed.
The Right to be Forgotten:
A specific version of the right to deletion is the right to be forgotten. This includes the right to be delisted from a search engine. It is not absolute. It only applies if the information:
- cannot be removed from the original source;
- is no longer considered relevant;
- is context-specific.
This right applies in the EU and many Latin American countries based on case-law, and in South Korea based on guidelines from the Korean Communications Commission.
The Right to Information:
The rights discussed above require data subjects to make requests. The right to information is a right that always applies and, in many jurisdictions, is also known as the notice requirement. In the interest of transparency, organisations are required to disclose to data subjects what information is being processed, for which purpose, by whom, and which parties it is being shared with or sold to. Most organisations will include all of this information in a privacy statement or notice. In many jurisdictions, including the EU, the information provided needs to be specific to the data collected.
Other common data subject rights
The Right to Data Portability:
Under the GDPR, individuals are entitled to take their data from one organisation to another, if processing is based on consent or contract, and it is done by automated means. The CCPA stipulates that when an organisation provides information to an individual in an electronic format, it must be portable and readily transferable.
The Right to Restriction of Processing:
A specific right under the GDPR is the right to restrict the processing of an individual’s data, if the data itself or the lawfulness of the processing are contested.
The Right to Complain:
Several jurisdictions have included in their legislation the possibility to file complaints to an organisation about their data processing practices. If the complaint is found to be justified, changes to the organisation’s policies and procedures will need to be made. In all jurisdictions but Brazil, the legislation contains provisions allowing individuals to file a complaint with a data protection authority.
The Right to Not be Subject to Automated Decision-Making:
Strongly advocated in the EU, this right is closely linked to the transparency of processing and the need for individuals to have control over their own data. However, this right is not absolute. The GDPR, for example, also allows for some explicit exemptions, such as the preparation and execution of contracts.
No right is absolute
Many privacy and data protection laws around the world contain specific provisions, allowing exceptions and limitations to the rights of individuals. It is important for organisations to understand that these exceptions and limitations exist, and how and when they can be applied.
How to embed data subject rights into your privacy program
An accountability approach to compliance means implementing and embedding relevant policies, procedures, and other measures throughout the organisation, and assigning responsibility for these activities. Ideally, the activities will also be reviewed on a regular basis, such as annually or semi-annually. Such reviews will serve to produce documentation, including meeting minutes and memos, in addition to the actual policies, procedures, and log files, which can all serve as evidence to demonstrate compliance to regulators and other stakeholders.
The best way to ensure compliance is embedded throughout your organisation is to develop a program based on a framework that maps to multiple laws, such as the Nymity Privacy Management Accountability Framework™. It will help you to implement all the right privacy management activities to deal with data subject rights under the GDPR, the CCPA, and all the other privacy laws around the globe.