The Role of Data Governance in Data Strategy: Part 3

Data Subject Access Rights (DSAR) 

In the previous articles (Part 1 and Part 2), we have seen the concept of BigID and how it enhances the data in an organization. In this article, let's see what is Data Subject Access Rights (DSAR) and how they correlate to individual rights in real-time. 

Data Rights Fulfillment (DRF) is a process of steps/actions taken by an organization with data protection rules and ensuring that individual rights and personal data are respected.

What are the most commonly used rights that one individual has the right to ask or know? What level of information does the organization have with regard to data?

What are the rights of individuals under the GDPR?

1. Right to data access (Article 15)
2. The right to be informed (Articles 12, 13, and 14)
3. Rights refer to automated individual decision-making, including profiling (Article 22).
4. The right to object (Article 21)
5. The right to data portability (Article 20)
6. The right to restrict processing (Articles 18 and 19)
7. The right to erasure ("right to be forgotten") (Article 17)
8. The right to rectification (Article 16)

1. Right to Data Access

This right allows individuals to ask an organization if they have personal data that is concerning them. Individuals are entitled to obtain additional information from the organization regarding the following:

• For what purposes is the personal data being used or processed?
• Recipients or services of recipients who have or will receive the data
• The source of the data, if it was not directly collected from the individual
• The duration for which the data will be stored or the benchmark used to determine that tenure

In summary, the right to access is an important component of data protection regulations, intended to grant individuals greater jurisdiction over their personal data and ensure transparency in how their data is used.

2. The Right to Be Informed

This law plays a vital role in an organization and they are responsible for keeping the individuals informed about their data if there are any changes/edits to the data. Transparency is the core principle here for data protection and is key for building trust between organizations and individuals. This is mostly done through a "Privacy Note" or "Non-Disclosure Agreement (NDA)" between both parties. The organization is responsible for making sure these details are written/printed in a very detailed note that individuals can understand easily.

Key points that must be included in the Privacy Notice:

• Identity and contact details of the data Consultant
• Purpose of data processing
• Legal basis for processing
• Recipients or categories of recipients
• International data transfers
• Data retention period
• Individual rights
• Automated decision-making
• Source of data (if not collected directly from the individual)

3. Rights Refer to Automated Individual Decision-Making, Including Profiling

The individual has specific rights with regard to automated decision-making, including profiling, if the individual feels/suspects the processed data/results were not accurate. These rights are designed to protect individuals from actions that could impact them without any manual intervention.

For instance, if a company uses an algorithm to reject job applications based on certain criteria automatically, an individual has the right to:

• Be informed that their application was rejected through automated decision-making
• Request human intervention to review the decision
• Provide additional information that may not have been considered by the automated process
• They may appeal or raise a flag if they feel the decision was unfair

4. The Right to Object

The "right to object" enables individuals to request an organization to stop processing their personal data in some scenarios, like below: 

• Right to object to processing for direct marketing purposes
• Right to object to processing based on legitimate interests or public task
• Right to object to processing for research or statistical purposes

For instance, if an organization uses personal data to send marketing campaign emails, the individual has the right to object to this kind of processing. Once the individual objects, the company must stop sending these emails to that person immediately.

5. The Right to Data Portability

The right to data portability enables individuals to gather and reuse their personal information across multiple services. Organizations need to be able to provide their personal data upon request and in this way it allows them to carry their data in a safe and secure way without compromising their rights.

Some of the general examples of how an individual can use these rights are:

• Switching financial services: An individual might use the right to data portability to transfer their transaction history from one bank to another.
• Number portability: An individual can use the right to data portability to “port” a mobile number to another mobile network provider.
• Health services: A patient might transfer their health records from one healthcare provider to another.

6. The Right to Restrict Processing

This right provides individuals with the capability to stop processing of their personal data under certain circumstances without necessarily requiring the data to be deleted. An individual has the right to restrict what an organization does with their information, so they can process it as part of an agreement but not send marketing emails. While the processing is restricted by an individual, the organizations can still store their data and the data can be processed with the individual’s consent. An organization must keep track of who has prohibited specific sorts of processing and check that record before processing data. In most circumstances, the best way to address this will be within the software tools that are being used to manage those operations.

7. The Right to Erasure (“Right to Be Forgotten”) 

This right allows individuals to request that their personal data be deleted when an individual does not want to process their data in an organization. It is a key right of data protection in this digital era, ensuring that individuals have the ability to manage their digital footprint while still protecting their privacy. However, this right is balanced by some exclusions to guarantee that some essential data processing activities can continue where and when needed.

For example, a person might request the deletion of their personal data from a company’s database in situations such as when they have withdrawn their consent to receive marketing emails or when they no longer wish to have an account with that company and want all associated data to be erased. By making such a request, the individual ensures that the company stops using their personal data for any purpose, including marketing, account management, or any other processing activity that might have been ongoing.

8. The Right to Rectification

It allows individuals to request corrections to their personal data if an individual feels it is inaccurate or incomplete. Organizations need to know everywhere in their organization where data about individuals is stored so they can update those systems if an individual informs them that the data they have is incorrect. If an individual requests an organization to update or edit any of their personal information, they typically need to submit a request to the data controller of the organization that is handling the data. The request should specify what data is incorrect and what the correct information should be.

In the future post, we will look at how BigID addresses DSAR and DRF requests and the impact it has on data and individuals. This framework is essential for maintaining justice and accountability in the age of AI.

Reference Articles 

• BigID-Automate-Data-Access-Rights-Fulfillment-White-Paper