DSRs or Individuals' Rights: A Backgrounder

Data Subject Rights or DSRs have been around for decades, but GDPR massively reinforced and extended them when it took effect in 2018 – five years ago now. Laws around the world, from the USA to Australia, have followed suit, building up and extending rights individuals have over their personal data.

Given this global movement and lawmaking trajectory, we’ll use the term Rights instead of the GDPR-specific term ‘DSRs’, and individuals instead of the GDPR-specific term ‘data subjects’. Indeed, that’s how the UK Information Commissioner’s Office describes them in its guidance. (Also, we’ll say Privacy laws when yes, we know, technically these are data protection laws, but everyone pretty well says Privacy and understands that use now.)

Managing Rights is a key ongoing requirement under GDPR, and an essential part of your ongoing Privacy Governance. Of course, while we trust you find this super helpful, this is just an article with information, it’s not legal advice so make sure you get professional advice on your applicable law(s).

So, first, what are Rights, how many are there and what are they all about?

3 old, fundamental, Rights (OK, 3+ …)

One can argue over exactly how many Rights there are, and when exactly they came in, but in general terms, we as individuals have long had three fundamental Rights recognised in many Privacy laws around the world, namely:

1. to receive a copy of the personal data an organisation is processing about us (the access right),
2. to have them correct that personal data where it’s inaccurate (the correction or rectification right), and
3. to ask them to delete our personal data (the deletion or erasure right).

These Rights have been around for over 40 years, having been set out in two key international conventions and treaties in the early 80’s:

• Convention 108, from 1981, which is the only legally binding international treaty on data protection, and
• OECD Guidelines, from 1980, on which many laws are based.

There’s also always been the right to be informed, so that processing is transparent, usually satisfied by a Privacy Policy (yes, you can call it [YouTube cookies and privacy policy] Privacy Notice or Policy or Statement…) on the organisation’s website, linked to just-in-time data collection notices. And we’ve always been able to complain.

Being informed and being able to complain are technically Rights, but before GDPR no-one really talked about them as such because Rights were more generally seen – and arguably still are – as things that individuals exercised against organisations about their data.

Enter GDPR

The EU General Data Protection Regulation, or GDPR, went onto statute books in 2016 and took effect in 2018. GDPR strengthened existing Rights and codifed further Rights for individuals, including:

• Port – to receive our personal data in a digital format so we can take it to another provider.
• Restrict – to really limit the ability of an organisation processing our personal data in certain circumstances.
• Object – to object to any processing of our data, which covers multiple Rights including:
• Automated decision making – to object to automated decision making, including profiling, when that has a legal or similarly significant impact on us, and
• Direct marketing – to object to use of our personal data to target us with direct marketing.
• Withdraw consent – this has always been available when consent was the legal basis for the processing, but GDPR emphasised this Right as part of beefing up the rules around use of consent.

The global movement

GDPR came about for a number of inter-twined reasons such as the ever-increasing amount of digital data, digital business models exploiting that data, increased security attacks on that data, increased globalisation of supply chains, and corresponding increased risk to individuals.

These led to the desire to update, harmonise, strengthen and standardise the rules on data protection. Clearly such factors were at play around the world, not just in Europe, though GDPR has hugely inspired almost all Privacy laws that came into being after it.

US state laws

At a federal level, the US has famously followed ‘vertical’ laws such as HIPAA for health, which also includes certain fundamental Rights for individuals. But it’s been very hard to pass a federal ‘horizontal’ comprehensive Privacy law in the USA.

Recently, US states have taken action themselves, famously led by California with the CCPA then CPRA and now joined by many more and more to come. All of these comprehensive state laws bring in GDPR-style further Rights, with a US twist. Starting with California, US state laws often include rights to:

• opt out of the sale or sharing of your personal data, and
• opt out of targeted advertising, which usually differs from the EU and UK GDPR Right to object to direct marketing as it tends to be only about online advertising.

Can you refuse?

Possibly. Not often…

• Most laws allow you to refuse to act when someone exercises a Right but in very limited circumstances. For example, in GDPR, you can refuse where requests ‘are manifestly unfounded or excessive, in particular because of their repetitive character‘. Privacy laws are there to protect individuals (and allow for business to happen within limits) so exceptions like this are interpreted strictly.
• The UK ICO has a whole load of guidance on this. Post Brexit (sorry), the UK is looking to make some changes to this wording, though we’ll see if the Bill passes, what it says in its final version, and any new guidance and case law on it to judge the actual impact.

Exemptions

Applicable laws (GDPR + national laws if you’re in the EEA or UK) also set out the exemptions and conditions for each Right. They all come with their own rules, for example:

• some you just need to do, such as the objection to use for direct marketing,
• some are limited to apply only to certain types or categories of personal data, such as the right to port personal data, and
• some are limited depending on other factors such as the existence of an overriding legal basis or need to process (such as deletion). We’d all like to tell our employers to delete all our payroll information but they’re under an obligation to tell HMRC and pay tax based on our remuneration.

So do check your applicable laws. The UK Information Commissioner’s Office has some excellent Guidance on Individuals’ Rights, including what personal data is covered and any exemption for each Right.

You need to care about Rights

If you’re not sure this all matters, then think again. Just in the last couple of months:

• Spotify was fined €5 million by the Swedish regulator on 12 June 2023, for not giving the right information to an individual when they exercise their Right of access,
• a Berlin bank was fined €300k by the Berlin regulator on 31 May 2023, for not explaining its automated decision making clearly enough after an individual was refused credit by an algorithm,
• WIND was fined €120k by the Greek regulator on 29 May 2023, for not fulfilling an objection to direct marketing and not reacting properly to an access Right, and
• Volkswagen Leasing GmbH was fined €40k by the Italian regulator on 17 May 2023, also for not fulfilling an access request.

Managing Rights

Books have been written on this, and there’s a lot to it, but in brief:

1. Appoint a Privacy lead in your organisation, with the right support so they can in turn properly support your organisation, with good knowledge of your applicable Privacy laws, Rights, and when to escalate.
2. Train all staff on what’s expected of them (‘Privacy 101’), and add specific training for those likely to receive Rights from individuals on how to recognise them and how to deal with them, such as template responses to the individual, recording relevant information, and passing on the request to the Privacy lead.
3. If you receive a constant stream of Rights and people other than your Privacy lead are going to be handling them, then train the Rights team on each aspect of Rights, starting with Rights themselves and your internal processes for handling them.
4. You do need a system (however that looks as long as it works well for you) to intake Rights, recognise them, decide if you’re accepting them, establish the various dates and deadlines, identify exemptions, manage fulfilment of the Right, and report – both to the individual, as well as keeping logs and records so you can prove, plan and improve your compliance.

It’s all about continual improvement.

Deadlines

In the EEA and the UK, the respective GDPRs require you to take relevant action ‘without undue delay and in any event within one month of receipt of the request‘, which can be extended once by two months ‘where necessary, taking into account the complexity and number of the requests‘.

And for example in the new US state laws, you often have 45 days, which can be extended by another 45 days. So, again, do check your applicable law.

How Keepabl makes it easier

Our global Rights solution means you get all the obvious benefits of managing Rights in SaaS such as great collaboration, instant alerts, no version control issues with spreadsheets, least privilege and role-based access for your team, integration with the rest of our solution such as your Data Map and Tasks, and instant automatic reporting and KPIs.

See how we help make Rights management so much easier – book your demo today!