An organisation’s Privacy Notice is the simple way by which they share with their customers (or anyone else whose data they hold!) their Data Subject Access Rights – or DSARs, for short.
However, it can be difficult to implement and specify the DSARs if we don’t know which database(s) to apply these to, plus if we don’t have the ability to perform these requests. For example, help may be required from the IT department to enable certain tasks to be performed on the databases.
But, really DSARs come under these things:
The Right to be forgotten AKA Right of Erasure:
This is part of the EU law European Data Protection Directive. With regards to GDPR, this is how long the organisation keeps the data and does not keep it any longer than stated in the Privacy Notice. This gives the organisation a structure on knowing where to find and delete this data.The “Right to be Forgotten” is at the request of the data subject (the person who provides the data)An easy to remember example for this is choosing to unsubscribe from an emails or newsletters. This is in effect a right to be forgotten.
- Right of Rectification
This is simply when you need to change or update data because a piece of data is incorrect. People need to be able to modify data they have provided to reflect reality. The data subject (the person requesting rectification) must provide some form of proof they are who they claim they are.The Right of Rectification is a right, not a God given right, but it still needs due diligence.
- Right to Restrict Processing – The data subject can stop or prevent any personal data from being processed. An organisation can hold onto this data, but not process it at the request of the data subject. Often restriction is due to some dispute between parties.
The data subject may request to know what data the organisation currently has on them. This request will be performed by internal resources, such as asking the HR department.You will have to find what evidence you have on a specific piece of data. Depending on the request, the IT department might be needed to find it. This can be an onerous, internal job. You may have to check if this covers everything, or every location of data. Data mapping will uncover other areas where data may lie, such as emails.
Data portability is when you put information in a machine-readable file or format so it can transfer from one company to another. Or, if the data subject asks or needs their information moved from one place to another for whatever reason.
It is vital under GDPR that these DSARs are made clear to data subjects within an organisation’s Privacy Notice – whether the Privacy notice itself is a large, continuous document, or “layered” so customers can pinpoint the exact information they need in a concise and engaging manner.