What Is A Data Subject?
A data subject is simply the individual or end user whose personal information is being collected. This individual is capable of being identified through metrics such as ID numbers, a name, locational data, mental, economic, genetic, physical, cultural, and social markers.
What Are Data Subject Rights?
The General Data Protection Regulation(GDPR ) aims to empower individuals through the following rights:
1. Right to be informed.
All individuals and end users can submit a request asking an organization for all the data they have processed and collected on them so far. All organizations are subject to comply with this request, and are required to do so within one month of submission of the request.
Failure to comply can lead to penalties which vary depending on the location the individual in question resides in.
3. Right to rectification.
Any individual or end user can submit a request of rectification to an organization regarding their own personal details. The purpose of this is to allow individuals to update inaccurate or incomplete details that the organization holds. While this is the primary reason, individuals can request rectification for any reason whatsoever as the personal information in question belongs to the individual and not the organization.
4. Right to be forgotten.
Any individual or end user can request an organization maintaining personal records of them to erase the data they have on hand. This may be deemed necessary in situations where the data collected is no longer necessary to collect and maintain as per the laws of the region. This right also applies when organizations cannot prove that they gained personal information on individuals in a lawful and proper manner. Since the information belongs to the individual in question and not the organization, the individual may also revoke their consent of data collection at any time.
5. Right to restrict processing.
Any individual or end user can request an organization to limit the personal information that is collected at any time. This right can be exercised whenever the individual feels there is no longer a need for data collection. Such as when they no longer need the product or service that is being used to collect information anymore.
The right to restrict processing is similar to the right of erasure, but applies to situations when erasure is deemed undesirable.
6. Right to data portability.
Any individual or end user retains the right to reuse and repurpose the information collected by organizations at any time as they see fit. This right only applies to information that is gained by means of a contract or consent.
7. Right to object to processing.
Any individual or end user can object to the processing of their personal data on the grounds that organizations need to demonstrate a reasonable need for the data collection in the first place.
This right is particularly important when protecting the interests of those involved in the defense of legal claims.
8. Rights in relation to automated decision making and profiling.
Any individual or end user retains the right to challenge organizations on the processing of their personal data. This can be done in the event that an individual suspects the information processed has been profiled according to physical, mental, social, economic, or psychological parameters.
They may also challenge an organization in the event they have reason to believe that lawful procedures have not been followed during data collection and processing.
Violation Of Common GDPR Data Subject Rights
The General Data Protection Regulation is aimed at protecting the rights of individuals and giving them control over their own personal information.
To effectively fulfill this, the regulations do contain some teeth to prevent bad actors from engaging in bad faith and committing violations.
In the UK, violations carry a maximum fine of £17.5 million, or a fine that amounts to 4% of the organization’s annual global turnover. This has been deemed necessary so that the regulations are not seen as another cost of business for organizations engaging in bad faith.
In Europe, violations carry a maximum fine of £18 million, or a fine that amounts to 4% of annual global turnover.
Not all violations lead to monetary penalties. The Information Commissioner’s Office can act at their own discretion to issue warnings, temporary bans, and suspensions of activity to those they believe are engaging in violations.
Operationalization Of GDPR Rights Of The Data Subject
Organizations that collect large quantities of personal information often use automation in their processes.
The processes often have clear workflows where systems can monitor and handle user requests in the collection process.
The same systems can, in turn, be used to operationalize the data protection rights to get GDPR Compliant
This is what allows end users to register requests and follow up with the processing of their requests. These systems can provide notifications to the end user for every step of the process to aid individuals in more effectively controlling agency over their data.