Blog > May 2018 > GDPR’s New Rights for Individuals: Data Subject Access Requests

GDPR’s New Rights for Individuals: Data Subject Access Requests

While many companies crammed to learn about the GDPR before last week’s deadline, there is still a lot they may not know, and should, to ensure sustainable compliance. With the regulation now in effect, organizations must educate themselves on a set of requirements, Articles 14-22 of the GDPR, that many have either overlooked or not fully grasped the implications of. The GDPR isn’t only about protecting personal data, it’s also about a new set of entitlements for the data subject (that’s the “individual” to you and me). They include a right to request:

  • Confirmation that their personal data is being processed

  • Access to their personal data

  • Deletion of their personal data

  • Port their personal data to another organization

The GDPR states that, “a data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.” With empowered data subjects, companies must be prepared to answer when they come knocking with requests.


Data Subject Access Request

There are three key procedures that effect the management of personal data.

  • Information requested must be provided free of charge. You can’t charge people an access fee to recoup administrative costs.

  • Information must be provided without delay and within a month, except when the request is exceedingly complex or numerous. Organizations can extend the deadline up to three months.

  • Data subjects must be able to make requests electronically and physically. Requests can be made in any form, including through email, phone call or web contact forms.

What can be so hard about that? If you think about it, those baseline requirements mean your organization must:

  • Document and create data subject access request workflow procedures for all types of incoming requests

  • Set up physical and electronic “inboxes” to receive requests

  • When a request is received, look for all personal information in every business system, network, file system, data store (Cloud and on-premises), offsite paper archive, etc.

  • Gather and collate all personal data from every place it was found

  • Share that information with the data subject electronically and, if requested, physically

Although most end users don’t know much, if anything, about the GDPR, there are some who will see if you are ready to handle a data subject access request. And if you can’t, it will become public knowledge via social media and generate a lot of negative publicity. What to do?


Information Management to the Rescue?


Multi-national companies conducting business with the EU have several business systems in place to manage corporate information and customers’ personal data — including Enterprise Resource Planning and Enterprise Content Management systems, file-sync-share applications, network file folders, databases and more — and in many cases, a whole host of legacy systems that are rarely accessed but contain critical personal information. It’s a computing environment that is very difficult to fully know where all customer personal data is located and how it is being used.

Modern Information Management vendors have recognized this challenge. To help make sure you know your data, where it resides and how it’s being used, they deliver:

  • Data Intelligence that collects all of the necessary details about data collection and processing with zero gap data lineage tools to map where all personal and sensitive customer data is located in business systems and applications, legacy data stores, databases, data warehouses and data lakes. The data lineage map gives you the origins/creation points of personal data, what happens to it, where it moves over time and the relationships between personal data — types and sources.

  • Content Services that have:

  • Platform-neutral repositories that can reside in the cloud, on-premises and hybrid environments

  • Granular policy management functionality to automate the capture of data subject access requests, as well as the management, governance and deletion of electronic personal data

  • REST API and Encryption at Rest services that can be used to

  • Securely integrate the platform-neutral repository with the Enterprise Data Intelligence and core business systems

  • Index and archive the metadata (type, size, location, access rights, etc.) of personal customer data

  • Manage personal data in-place so re-processing of data is not required

  • Provide federated search of personal data no matter where it resides and delivered in context

  • Port personal data in a file-neutral format when required

  • Native redaction services that mask personal data from unauthorized individual

With a modern and intelligent information management solution, companies can identify all locations where customer personal data is stored as well as mange the front- and back-office requirements to service data subject access requests. What an information management or any “GDPR” solution can’t do is make your organization compliant. The GDPR is not a technical problem that can be solved with hardware and software. It is a regulation made up of best practices and processes to protect the personal and sensitive data of EU citizens. Still, employing an intelligent information management solution with enterprise data intelligence and content services is an excellent move to solve the data subject access request procedure — a powerful first step toward proactivity in the post-GDPR era.

To learn more about the steps your organization must take to comply with individuals' new rights around the GDPR, download our 2018 GDPR Handbook. For more information on life with the GDPR, read this blog post.

Posted: 5/31/2018 3:05:37 PM by Erin McCart
Filed under :access, data, GDPR, privacy, request, security, subject