Data subject rights under GDPR: What we know, don’t know, and must do
June 4, 2018
Members of the International Information System Security Certification Consortium 's advisory council on GDPR give a pragmatic explanation of the rights of data subjects under GDPR and how to manage them.
Before Europe’s General Data Protection Regulation (GDPR) made everyone more aware, organisations routinely collected as much data as possible. Data brings knowledge, power and value. However, as digital capabilities enter mainstream practice, we are also seeing expectations that it will be managed and used responsibly.
Concerns, particularly around privacy, compounded by the seemingly endless flow of media reports covering data security breaches, snooping or surveillance and most recently the ability to conduct increasingly sophisticated levels of profiling, would suggest that we are falling short of these expectations.
GDPR caters to consumer expectations of data privacy and significantly extends the scope of individual rights regarding their personal data. The “right of access” and requests made by individuals for the correction or erasure of the personal data held or processed by an organisation have emerged to be one of the most challenging areas to address.
Hoarding personal data without a defined purpose is being replaced with an immediate requirement to actively manage the data collected. This represents an enormous task in an environment where organisations have widely admitted that they are unaware of the nature and value of up to 70% of the data they previously collected. Organisations also report that they have little idea of the demand they are likely to experience for either access to or requests for personal data to be erased or changed.
Further, the concept of “personal data” under the GDPR is quite broad. Internet protocol (IP) addresses, cookie identifiers and other identifiers (such as radio frequency identification tags) as well as pictures of individuals, posts on social media, even marked exam test papers, all fall within scope under the GDPR.
Data subject rights: not new, not absolute
These rights are not new, nor are they absolute in all circumstances. GDPR introduces additional requirements, such as the 30-day time limit to comply with access requests, and the obligation to inform about the period for which the data will be stored, provide information about the existence of the right to complain to the Data Protection Authority (DPA), and more.
GDPR recognises in its recitals that data subject rights should not adversely affect the rights or freedoms of others or undermine the organisation’s interests to for example protect trade secrets, intellectual property, or copyright. This means a balance of interests will always need to be considered.
Organisations should have established a data governance regime, grounded in a “record of processing activity” that gives a clear picture of their data landscape. This provides a basis for them to immediately demonstrate their commitment to comply with both their in-country Data Protection Authority (DPA) and the individuals that may exercise their rights.
Managing GDPR data subject rights
(ISC)2’s EMEA Advisory Council’s GDPR Task Force suggests planning the following:
Enhance transparency: The first principle that the regulation aims to establish is the transparency of the processing. It should be clear to individuals to what extent their personal data is used. This should be expressed in easily accessible and easy to understand communications. Don’t wait for an individual to make a request. Regular, proactive communication supports strong customer relationships, supported by accountable policies, preventing the motivation to resort to a formal request.
Acknowledge the request: Be ready with a customer service communication that acknowledges the receipt of a request and outlines the steps your organisation will be taking to respond within 30-days. Be specific: point out that the request will be assessed, and that your organisation will be in touch within a specified time frame to either clarify the request or respond to it.
Clarify customer expectation: Don’t assume every customer is looking to have you provide them with anything that could be considered personal data under the letter of the legislation. Contact them, learn the motivation for the request and respond to this. It could be that invoking a customer service or complaint procedure would be the more appropriate response.
Ensure the legitimacy of the request: Set criteria for referring requests for legal assessment. You can ask the person who is submitting the request to make their case for it. There could also be overriding regulations in certain specific situations and customer obligations.
Document policy for search criteria: Data mapping enhances the record of processing activities and will provide an overview of the data flows within, to and from an organisation. Even if all relevant data isn’t caught, you will be able to demonstrate that you have made a reasonable effort to capture as much as possible.
Anticipate spikes: Well-known brands expect a flood of first requests as the legislation comes into effect and customers seek to test it. Previous experience when the European Court of Justice upheld a case for an applicant to have a news item removed from search engines motivated many similar requests in the aftermath.
Automate and maintain: Once inventories are documented, criteria set, and processes defined, you can look to develop tools or automate processes. The business case will dictate the validity of such an investment, and processes will have to be reviewed regularly as they will have to change as the business changes, and improve with experience.
However prepared organisations are today, the task ahead is likely to be significant. The capacity to meet data subject rights is not an isolated requirement, but rather a task that will develop in maturity with the overall compliance effort. It is anticipated that organizations will undoubtedly be tweaking and refining their processes and approaches for some time to come. Overall, the key to navigating data subject rights will be grounded in your ability to demonstrate commitment to accountability for sound data management as a pillar of a trustworthy business.
The authors of this post,Yves le Roux CISSP, Paul Lanois SSCP, Visia Tartaglione CISSP and Eric Tierling CISSP, are members of the (ISC)2 EMEA Advisory Council GDPR Task Force.
The Task Force is made up of members from around the world who are actively charged with implementing GDPR to track and curate front-line experience with the compliance effort. The aim is to work with the global membership of (ISC)2 to share the insights, tools and strategies they are deploying to meet the May 25 compliance deadline.
The Information Commissioner's Office has fined Carphone Warehouse £400,000 for suffering a cyber-attack in 2015 that compromised personal details of over three million customers and 1,000 employees. The fine issued …