Data Subject Rights or DSRs have been around for decades, but GDPR massively reinforced and extended them when it took effect in 2018 – five years ago now. Laws around the world, from the USA to Australia, have followed suit, building up and extending rights individuals have over their personal data.
Given this global movement and lawmaking trajectory, we’ll use the term Rights instead of the GDPR-specific term ‘DSRs’, and individuals instead of the GDPR-specific term ‘data subjects’. Indeed, that’s how the UK Information Commissioner’s Office describes them in its guidance. (Also, we’ll say Privacy laws when yes, we know, technically these are data protection laws, but everyone pretty well says Privacy and understands that use now.)
Managing Rights is a key ongoing requirement under GDPR, and an essential part of your ongoing Privacy Governance. Of course, while we trust you find this super helpful, this is just an article with information, it’s not legal advice so make sure you get professional advice on your applicable law(s).
So, first, what are Rights, how many are there and what are they all about?
One can argue over exactly how many Rights there are, and when exactly they came in, but in general terms, we as individuals have long had three fundamental Rights recognised in many Privacy laws around the world, namely:
These Rights have been around for over 40 years, having been set out in two key international conventions and treaties in the early 80’s:
There’s also always been the right to be informed, so that processing is transparent, usually satisfied by a Privacy Policy (yes, you can call it [YouTube cookies and privacy policy] Privacy Notice or Policy or Statement…) on the organisation’s website, linked to just-in-time data collection notices. And we’ve always been able to complain.
Being informed and being able to complain are technically Rights, but before GDPR no-one really talked about them as such because Rights were more generally seen – and arguably still are – as things that individuals exercised against organisations about their data.
The EU General Data Protection Regulation, or GDPR, went onto statute books in 2016 and took effect in 2018. GDPR strengthened existing Rights and codifed further Rights for individuals, including:
GDPR came about for a number of inter-twined reasons such as the ever-increasing amount of digital data, digital business models exploiting that data, increased security attacks on that data, increased globalisation of supply chains, and corresponding increased risk to individuals.
These led to the desire to update, harmonise, strengthen and standardise the rules on data protection. Clearly such factors were at play around the world, not just in Europe, though GDPR has hugely inspired almost all Privacy laws that came into being after it.
At a federal level, the US has famously followed ‘vertical’ laws such as HIPAA for health, which also includes certain fundamental Rights for individuals. But it’s been very hard to pass a federal ‘horizontal’ comprehensive Privacy law in the USA.
Recently, US states have taken action themselves, famously led by California with the CCPA then CPRA and now joined by many more and more to come. All of these comprehensive state laws bring in GDPR-style further Rights, with a US twist. Starting with California, US state laws often include rights to:
Possibly. Not often…
Applicable laws (GDPR + national laws if you’re in the EEA or UK) also set out the exemptions and conditions for each Right. They all come with their own rules, for example:
So do check your applicable laws. The UK Information Commissioner’s Office has some excellent Guidance on Individuals’ Rights, including what personal data is covered and any exemption for each Right.
If you’re not sure this all matters, then think again. Just in the last couple of months:
Books have been written on this, and there’s a lot to it, but in brief:
It’s all about continual improvement.
In the EEA and the UK, the respective GDPRs require you to take relevant action ‘without undue delay and in any event within one month of receipt of the request‘, which can be extended once by two months ‘where necessary, taking into account the complexity and number of the requests‘.
And for example in the new US state laws, you often have 45 days, which can be extended by another 45 days. So, again, do check your applicable law.
Our global Rights solution means you get all the obvious benefits of managing Rights in SaaS such as great collaboration, instant alerts, no version control issues with spreadsheets, least privilege and role-based access for your team, integration with the rest of our solution such as your Data Map and Tasks, and instant automatic reporting and KPIs.
See how we help make Rights management so much easier – book your demo today!
Our latest Cordium Insights webinar outlines: best practices for assessing data processing, storage, and protection policies, tips for identifying and remediating control gaps and weakness and on how to develop…
Keepabl’s File Library is super helpful. You can upload all documents relevant to your data protection compliance and link them to the relevant Record in Keepabl, such as an Activity,…