Control over personal data is shifting back to data subjects, as the GDPR puts a great emphasis on data subject rights and requests.

The GDPR – which came into place in May 2018 – introduces dramatic rule changes for companies regarding the way they collect and store data, whilst offering individuals greater control over their personal data.

User rights are another important aspect impacted by the General Data Protection Regulation (GDPR).

What are the data subject rights according to the GDPR?

Notably, the legislation significantly alters how users can request access to data. Whereas companies were not previously obliged to show exactly what data they had collected about a particular person, individuals now have the right to submit a data subject request according to their rights, such as access to data the company has on them. The GDPR also eliminates the cost of subject access requests, which was previously set at a maximum of £10.  

According to the GDPR, data subjects have the following rights:

Right of Access

Data subjects have the right to obtain confirmation as to whether or not personal data concerning them is processed, and, where that is the case, they have the right to request and get access to that personal data.

Right to be Forgotten

Officially called the "Right to Erasure”. In certain cases, data subjects have the right to obtain the erasure of their personal data.

Right to Data Portability

Data subjects have the right to receive from data controllers a structured format their personal data and they have the right to (let) transmit such personal data to another controller.

Right to Restriction of Processing

Under GDPR, data subjects have the right to obtain the restriction of processing, applicable for a certain period and/or for certain situations.

Right to Object

In certain cases, data subjects have the right to object to processing of their personal data, including with regards to profiling. They have the right to object to further processing of their personal data in so far as such data have been collected for direct marketing purposes.

Right to Rectification

Data subjects have the right to obtain the rectification of inaccurate personal data and they have the right to provide additional personal data to complete any incomplete personal data.

Right to Reject Automated Individual Decision-Making

Data subjects have the right to not be subject to a decision based solely on automated processing.

Data subject requests (DSR)

This legislative shift puts customers in the driving seat, something which holds a range of implications for companies with large banks of customer data. Today, companies need to be more transparent with the data they collect and they need to obtain explicit consent from the people they collect information from, or face big fines. GDPR obliges companies to confirm where data is being held, if they have deleted data, and what they will do with it. Previously it was often held in unsecured places and companies presumed that it was fine to simply take data.

Additionally, the GDPR requires companies to correct or erase a customer’s personal data upon request, according to their rights Individuals can also stop an organisation from processing their data after a certain amount of time, or for certain situations. Furthermore, businesses must comply if an individual files a complaint about the way their data is being used, or if they object to having their personal data processed for any other purpose than those originally stated at the time of consent.

Responding to data subject requests

Under the GDPR, companies also have less time to respond to data subject requests – one month instead of 40 calendar days. Failure to do so could result in a hefty fine of up to 4% of annual global revenue, or €20 million, depending on which figure is higher.

Following these legislative changes, businesses need to adjust in order to ensure they can quickly and efficiently respond to data subject rights and requests. This may sound like a time consuming and costly task, but it doesn’t have to be.

The rules of the game have changed. Today, setting up a robust system for managing user requests is not only crucial for avoiding financial penalties under the GDPR, it will also make sure that a business is seen as a transparent and trustworthy organisation.