April 12, 2017

Data Subject Rights in the GDPR: Who Has Visibility and Control Over Personal Data?

JT Sison
Data Subject Rights in the GDPR: Who Has Visibility and Control Over Personal Data?

Enterprises can’t afford to “forget” where sensitive data is located.

One of the General Data Protection Regulation (GDPR) rules that has garnered considerable attention is the “right to be forgotten.” This right entitles a person to demand a company delete his or her personal data. While only one of several rights the GDPR confirms or establishes, it emphasizes the level of control the new law allows a person over his or her own data. Put simply, legal use of personal data hinges on obtaining a person’s permission to gather that data and is only maintained by allowing that person continued authority over their own data.

The Data You Collect and How You Use It

In order for a data subject to legally give consent, a company must be clear about the data it is requesting and how it will use it, at the point of collection, including:

  • Who can access the data
  • Why the data is being collected
  • How will the data be used

Companies must also ensure that consent is actively and explicitly given. After the data is collected, data subjects continue to maintain a degree of authority over their own data. They are legally able to exercise this authority by making requests for any personal data a company may have about them. Such requests must be honored within one month.

The rights that a person continues to hold over their data include:

  • The right to have their information deleted
  • The right to access their data
  • The right to take their data (i.e., data portability)
  • The right to have inaccuracies corrected
  • The right to restrict processing (e.g., for direct marketing or automated decision making)
  • The right to object to the disclosure of his or her personal data for the first time to third parties

For many global organizations, the biggest challenge to complying with the GDPR’s rules regarding data subject rights is the ability to keep track of all sensitive data everywhere—on premises, in the Cloud, across the extended enterprise. To empower data subjects with the right to be forgotten, enterprises must not “forget” where sensitive data is located but rather maintain diligent visibility and control over it all.

As always, we recommend consulting your legal or compliance teams first, but contact us to learn how Dataguise’s simple, powerful solution for sensitive data governance can help you accelerate (and ensure continued) compliance with GDPR.

Share on social media
  • Blog Data Breach Report Oct 2024

    PKWARE November 14, 2024
  • Data Breach Report: September 2024 Edition

    PKWARE October 9, 2024
  • Data Breach Report: August 2024 Edition

    PKWARE September 6, 2024
  • Where Are the Keys? Managing Encryption in the Cloud

    PKWARE August 7, 2024
  • Blog Data Breach Report Oct 2024
    PKWARE November 14, 2024
  • Data Breach Report: September 2024 Edition
    PKWARE October 9, 2024
  • Data Breach Report: August 2024 Edition
    PKWARE September 6, 2024