Filter by Category

GDPR: Understanding the 8 Rights of Data Subjects

GDPR gives data subjects more control

Find out what these new rights mean for your organization and how you can prepare.

GDPR (General Data Protection Regulation) is the EU’s new legal framework that replaced the EU Data Protection Directive in May 2018. While the directive was merely a recommendation, GDPR carries the force of law.

The purpose of GDPR is similar to today’s Data Protection Directive. The regulation is designed to protect EU citizens’ personal data by defining how organizations process, store, and destroy it.

The law also gives individuals control of how companies can use information that is directly related to them personally and provides eight specific rights. Some of these rights are new; some are stronger versions of rights that exist under the EU Data Protection Directive. In GDPR, these rights are called the “Rights of Data Subjects.”

Data subjects are the opposite of “data objects”; they are not passive entities who have no option but to accept whatever happens to their personal data. They are independent owners of their data and determine how the data is used.

Below we highlight the individual rights granted by the GDPR, explain what they mean in practice, and describe how your organization can adapt.

The 8 GDPR Rights:

1. Right to Be Informed

GDPR Articles: 12, 13, 1

What does it mean to individuals? Before data is collected, a data subject has the right to know how it will be collected, processed, and stored, and for what purposes.

How to address it in my organization? Create easy-to-read policies that provide explicit details on what information is being stored on an individual—and how it will be used. Ensure all data collection processes place informing the user before the collection of data.

2. Right to Access

GDPR Articles: 12, 15

What does it mean to individuals? After data is collected, a data subject has the right to know how it has been collected, processed, and stored, what data exists, and for what purposes.

How to address it in my organization? Implement a process and the technical capabilities to:

a) Track all data relating to the requester in your systems,
b) Vet a right to access request, and
c) Provide that information to the requester.

These processes could involve considerable manual efforts that divert your staff from other critical projects. You can simplify the work by automating these processes and implementing access logging. When transferring information either to the data subjects or third parties, make sure its secure by using secure managed file transfer.

3. Right to Correction (“Rectification”)

GDPR Articles: 12, 16

What does it mean to individuals? A data subject has the right to have incorrect or incomplete data corrected.

How to address it in my organization? Implement a process and the technical capabilities to:

a) Vet a right to access request,
b) Correct the data, and
c) Confirm correction to the requester.

As this also applies to data your organization passed on to third parties, you need a process to securely inform them of the correction. Support your implementation by automating processes and using secure managed file transfer.

4. Right to Erasure (Right to Be Forgotten)

GDPR Articles: 12, 17

What does it mean to individuals? A data subject has the right to have personal data permanently deleted.

How to address it in my organization? Implement a process and the technical capabilities to:

a) Track all data relating to requester in your systems,
b) Vet a right to erasure request,
c) Erase all data in the request, and
d) Confirm that erasure to the requester.

In addition, implement processes and technical capabilities to:

  • Automatically delete data after a determined retention period, unless the data is still required.
  • Inform other processors to whom data was passed of the request.
  • Receive a right to erasure request from another data controller or processor, and to perform it.

Define a highly automated, secure process to vet incoming Right to Erasure requests, inform processors of Right to Erasure requests, erase data in response to Right to Erasure requests, and to automatically erase data that is no longer required, such as after legal retention periods end.

5. Right to Restriction of Processing

GDPR Articles: 12, 18

What does it mean to individuals? A data subject has the right to block or suppress personal data being processed or used.

How to address it in my organization? Implement a process and the technical capabilities to:

a) Track all data relating to requester in our systems,
b) Vet a right to restriction of processing request,
c) Pause processing without erasing the data, and
d) Confirm the restriction in processing to the requester.

Define an automated and secure process to vet incoming Right to Restriction of Processing requests, inform processors of the requests, and to restrict (pause) the processing of data.

6. Right to Data Portability

GDPR Articles: 12, 20

What does it mean to individuals? A data subject has the right to move, copy, or transfer personal data from one data controller to another, in a safe and secure way, in a commonly used and machine-readable format. Wherever technically possible, this also includes the right to have the data transferred directly from one controller to another without the data subject having to handle the data.

How to address it in my organization? Implement a process and the technical capabilities to:

a) Track all data relating to requester in your systems,
b) Vet a right to data portability request,
c) Transfer data to another controller or else the requester securely, and
d) Confirm the transfer to the requester.

Automate and secure the process of vetting incoming Right to Data Portability requests, and providing the requester with access to a corresponding data package.

7. Right to Object to Processing

GDPR Articles: 12, 21

What does it mean to individuals? A data subject has the right to object to being subject to public authorities or companies processing their data without explicit consent. A data subject also has the right to stop personal data from being included in direct marketing databases.

How to address it in my organization? In effect, a combination of the processes and technical capabilities for restriction, limitation, and erasure described above will suffice. Using automation and secure file transfer, define a process to vet incoming Right to Object to Processing requests, and to inform processors of the request.

8. Right to Not Be Subject to Automated Decision Making

GDPR Articles: 12, 22

What does it mean to individuals? A data subject has the right to demand human intervention, rather than having important decisions made solely by algorithm.

How to address it in my organization? Inform people that they will be subject to algorithmic decision-making and that they can opt out of it. Implement a process and the technical capabilities to:

a) Track all data relating to requester in our systems,
b) Vet an Article 22 request,
c) Revert the algorithmic decision, and
d) Provide all information to a human decision-maker.

Assist your implementation by defining a process to vet incoming Right to Not Be Subject to Automated Decision Making requests, to inform processors of the request, and to pull together an information package to be used for the human decision-maker.

Additional Notes:

Rights of Data Subjects, such as the Right to Access, are normally exercised by individuals—the data subjects themselves.

In some legal contexts, such as law enforcement or security situations, the right of the data subject is replaced by the requirement of a supervisory authority to monitor or regularly audit the data processing to perform oversight.

The basic underlying requirement is the same in both cases: you must be able to vet an incoming request and satisfy the request for information, erasure, etc.

HelpSystems solutions can support you in your mandatory implementation of Rights of Data Subjects processes.

Our solutions aid your implementation by providing robust capabilities for process automation, access logging, and secure file transfer.

1) Process Automation

The Rights of Data Subjects require you to define and document a corresponding business process. Automation allows you to streamline those processes, ensuring high efficiency and providing a consistent response to these service requests.

Most of these processes will consist of manual elements and automated or automatable elements. For example, the vetting of an incoming Right to Access request may include a manual verification of ID documents. HelpSystems offers solutions that can help you create such hybrid manual-automatic processes, including Automate, Webforms, and Sign Here.

2) Access Logging

The Right to Access means you must provide, on request, information about which personal data was collected and how it was changed and read after the initial data collection. To capture this information, manual processes are insufficient. In addition to clearly documenting your data flows, you need to automatically log accesses to personal data and to be able to query that information.

HelpSystems offers solutions to capture and log different data access. For the IBM i world, we offer logging and reporting capabilities in our data security solutions Powertech Exit Point Manager for IBM i, Powertech Command Security for IBM i, Powertech Authority Broker for IBM i, Powertech Compliance Monitor for IBM i, and Powertech Database Monitor for IBM i. Logging capabilities are also built into our managed file transfer solution, GoAnywhere MFT.

3) Secure File Transfer

Implementing Rights of Data Subjects processes requires you to move data securely from point A to point B. A Right to Access process, for instance, requires you to provide the requestor with a package of all the personal data that you have gathered on her, as well as on how that data was subsequently processed and accessed.

As this collection itself represents personal data, the same safeguards apply as to the originally gathered data, including the need to protect this information at rest and in transit.

Providing such a package may also require data to first be pulled together from different departments inside your organization, or even from different companies within the enterprise, before being assembled into a single package to be provided to the customer.

Our solution GoAnywhere Managed File Transfer provides you with the capability to transfer or make accessible such sensitive information packages in a secure manner. In addition, thanks to GoAnywhere's automation capabilities, you can also integrate the provision of data into a more complete Right to Access workflow built on HelpSystems automation solutions mentioned above.

To learn more about GDPR and the rights of data subjects, see these useful resources:

You can also watch our webinar Meeting GDPR Compliance with GoAnywhere MFT or check out our resource page about GDPR compliance for file transfers.


Latest Posts


Which is Better? - AS2 vs. AS4

August 16, 2019

AS2 vs. AS4 AS2 and AS4 are both popular file transfer protocols that allow businesses to exchange data securely with their business partners. However, what is the difference between them, and…


Why You Should Migrate from Your Current MFT Software

August 12, 2019

Is Your MFT Solution Keeping Up with Your File Transfer Requirements? With the increasing responsibilities IT professionals must juggle, including managing a myriad of daily tasks, addressing…


GDPR: Understanding the 8 Rights of Data Subjects

August 5, 2019

Find out what these new rights mean for your organization and how you can prepare. GDPR…


Think Your Customer Data was Exposed? Follow These Steps

July 31, 2019

When a prospect or customer shares personal data with a business, they expect their information will be stored securely, kept safe from vulnerabilities, and used only for the purposes with which it…


Is FTP Dead?

July 29, 2019

Is FTP still a viable option for sending file transfers? While organizations across all industries have started shifting to secure FTP protocols like SFTP and FTPS, a surprising number of businesses…