You must have already heard of the GDPR, the most robust data protection law to date in the EU. At its most basic level, the regulation lays out what constitutes lawful processing of personal data (how it is collected, used, protected, or interacted with in general) and grants individuals whose personal data is processed some rights, called “data subject rights”.
👀 In this article, we take a look at what these rights are and how you can lawfully respect them as a business.
Before diving in, let’s define what a data subject is. Who does it even refer to?
The term “Data subject” has been used in the GDPR text to describe an “identified or identifiable natural person”. It is essentially the individual whose personal data (i.e. email address) is being collected, processed or stored by a business.
Personal data under the GDPR includes pieces of information that, when collected together, can lead to the identification of a person.
🔍 Read our article to learn more about what is considered personal information across major privacy laws.
The GDPR recognizes the necessity to protect personal data and to ensure individuals have control over it.
It allows data subjects to take some steps toward the personal data businesses have on them and has granted them a list of 8 data subject rights: right to be informed, right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object, rights related to automated decision-making and profiling. Keep reading for more detail.
You need to inform users that their data is being collected, what data in particular, and why. This also means that your privacy notices should be concise, easy-to-understand and easily accessible throughout your website/app.
Users have the right to access their personal data and information about how their personal data is being processed.
Users have the right to have their personal data rectified if it is inaccurate or incomplete.
When data is no longer relevant to its original purpose or where users have withdrawn consent, users have the right to request that their data be erased.
Users have the right to restrict the processing of their personal data in specific cases.
Under certain conditions, users have the right to obtain (in a machine-readable format) and use their personal data for their own purposes.
Users have the right to object to certain activities in relation to their personal data.
Users have the right to not be subjected to a decision that’s based on automated processing or profiling, and which produces a legal or a similarly significant effect on the user.
🔍 You can find full details on the rights above in simplified terms in our GDPR guide here, or you can read the official GDPR text here.
What do these rights mean for your business, in practice?
A Data Protection Officer (DPO) is usually appointed by a company to ensure that personal data is processed following the applicable data protection rules. This includes personal data:
You must know that if the GDPR applies to your company and if you process a significant amount of personal data, you are legally required to designate a DPO.
When it comes to data subjects and data subject rights, a DPO often acts as the main point of contact and needs to handle requests from individuals who would like to exercise their rights.
🔍 We have compiled a quick guide for what to look for when choosing your DPO. Check it out here!
To comply with GDPR requirements, it’s essential to fulfill Data Subject Requests (DSRs), which encompass a range of rights that individuals can exercise under the regulation. These include the right to access, rectify, erase, restrict processing, data portability, object to processing, and not be subject to automated decision-making.
While fulfilling DSRs, organizations must respond promptly and effectively, adhering to the legal timelines (typically within one month). Among these, Data Subject Access Requests (DSARs)—where individuals request access to their personal data—are particularly common and must be handled with care to ensure compliance. However, honoring DSRs goes beyond DSARs, as it involves respecting all rights granted under GDPR.
Filing a Data Subject Access Request is a step individuals can take to exercise their key right of access, under the GDPR. Data subjects can send a written request and ask for the following info
🔍 Learn more about how to handle DSAR here.
Honoring all Data Subject Requests (DSRs), including DSARs, requires a robust and organized approach. Start by ensuring clear internal procedures for identifying, tracking, and responding to requests. Here’s a practical roadmap:
Needless to say, you should:
✅ Take these rights seriously and have appropriate technical and organizational measures in place to respect them;
✅ Oversee the training of your staff (if any) on data protection matters and handling data subject requests;
✅ Make sure your privacy documents are complete and up-to-date!
Failure to honor these rights can result in fines and reputational damage.
🚀 Here are 5 things you need to do now to comply with the GDPR