Join David Booth for an in-depth discussion in this video Understanding data subject rights (DSRs), part of GDPR for Marketers.
- Ultimately, the GDPR is about the protection of the personal data of individuals. And it's important to look at the specific rights data subjects have. These Data Subject Rights, or DSRs, as they're commonly referred to, put the consumer in charge. And understanding how you'll need to respect those rights is a big part of becoming compliant. First, under Article 15, a data subject has the right to access. That means, any data subject can, at any time, request that you provide them in a common, easily understood format, all the personal data that you have about them.
Just throwing a whole bunch of log files at them isn't going to be enough. So this will probably mean new tools and systems that can quickly aggregate and serve back that requested information in a user friendly format. Or it might even mean building or buying self-serve online solutions that consumers can access themselves. Next, under Article 16, a data subject has the right to rectification. Meaning you'll need to provide individuals a way to correct any personal data you have on them that may be wrong.
Unless you already have a mechanism in place for doing this, compliance is again going to mean some investment in the tools, processes and systems that can accomplish this. Article 17 of the GDPR also gives data subjects the right to erasure, which is essentially the right to be forgotten, that we've heard so much about. If an individual asks you to delete all the personal data you have about them, you'll need to be able to comply, and quickly. The specific language used to determine how much time you have to remove everything is, without undue delay.
There are a handful of legal and public domain type exceptions, and you should refer to the full Article 17 for more detail if these apply to you. Short of completely deleting everything about someone, per Article 18, a data subject also has the right to restriction of processing. Restriction of processing allows an individual to request that you stop processing their personal data. Which means you can keep it, so long as you have a good reason to, but you can't use it for anything anymore. Article 19 addresses the right to notification.
Which means if you update, delete, or stop processing any of your data subject's personal data yourself, you'll also need to notify anyone else that you may have shared this data with so that they can do the same. If you're not able to do that, you'll need to be ready to explain it to a data subject if they ask you. Next on the list is the Right to Portability. What this means is that a data subject can request that you provide their personal data to another organization on their behalf. So if you used to be a loyal customer of Brand X, but something changes and now you only shop at Brand Y, should you request it, Brand X will need to transfer all of your personal data to Brand Y, and do it using a structured, commonly used and machine-readable format.
The GDPR also gives data subjects the right to object to any processing of personal data at any time. That means if you're using personal data to target any kind of advertising towards someone, which could include just about any behavior or attribute used to segment or define a target audience, an individual has the right to object and you can no longer use their personal data for that purpose. Last, the GDPR provides individuals the right to human intervention. Phrased as automated individual decision making, including profiling.
This ultimately means that any decisions that may have a significant impact on a data subject can't rely solely on automated mechanisms. If you're like most organizations, complying with these rights means you probably have some work to do. That might mean adopting and integrating new tools and systems to allow individuals to access, delete, update, share, or control the way that you use their personal data. Or it may mean sitting down with your legal counsel to decide if your marketing endeavors and advertising partners are respecting these rights.
But understanding the rights of data subjects is a great step towards putting together that to-do list that will ultimately get you GDPR compliant.
- Define “personal data.”
- Name three data subject rights provided by GDPR.
- Recall the steps that need to be taken to comply with GDPR.
- Explain “privacy by design.”
- Identify the responsibilities of a data protection officer.
- Recognize the steps required to audit your data and processes.