Data Subject Rights in the GDPR: Who has Visibility and Control Over Personal Data?

Enterprises can’t afford to “forget” where sensitive data is located.

One of the General Data Protection Regulation (GDPR) rules that has garnered considerable attention is the “right to be forgotten”. This right entitles a person to demand a company delete his or her personal data. While only one of several rights the GDPR confirms or establishes, it emphasizes the level of control the new law allows a person over his or her own data. Put simply, legal use of personal data hinges on obtaining a person’s permission to gather that data and is only maintained by allowing that person continued authority over their own data.

In order for a data subject to legally give consent, a company must be clear about the data it is requesting and how it will use it, at the point of collection, including:

  • Who can access the data?
  • Why is the data being collected?
  • How will the data be used?

Companies must also ensure that consent is actively and explicitly given. After the data is collected, data subjects continue to maintain a degree of authority over his or her own data. They are legally able to exercise this authority by making requests for any personal data a company may have about them. Such requests must be honored within one month.

The rights that a person continues to hold over their data include:

  • The right to have their information deleted
  • The right to access their data
  • The right to take their data (i.e., data portability)
  • The right to have inaccuracies corrected
  • The right to restrict processing (e.g., for direct marketing or automated decision making)
  • The right to object to the disclosure of his or her personal data for the first time to third parties

For many global organizations, the biggest challenge to complying with the GDPR’s rules regarding data subject rights is the ability to keep track of all sensitive data everywhere—on premises, in the cloud, across the extended enterprise. To empower data subjects with the right to be forgotten, enterprises must not “forget” where sensitive data is located but rather maintain diligent visibility and control over it all.
As always, we recommend consulting your legal or compliance teams first, but contact us to learn how Dataguise’s simple, powerful solution for sensitive data governance can help you accelerate (and ensure continued) compliance with GDPR.