Find out what these new rights mean for your organization and how you can prepare.
GDPR (General Data Protection Regulation) is the EU’s new legal framework that replaced the EU Data Protection Directive in May 2018. While the directive was merely a recommendation, GDPR carries the force of law.
The purpose of GDPR is similar to today’s Data Protection Directive. The regulation is designed to protect EU citizens’ personal data by defining how organizations process, store, and destroy it.
The law also gives individuals control of how companies can use information that is directly related to them personally and provides eight specific rights. Some of these rights are new; some are stronger versions of rights that exist under the EU Data Protection Directive. In GDPR, these rights are called the "Rights of Data Subjects."
Data subjects are the opposite of "data objects"; they are not passive entities who have no option but to accept whatever happens to their personal data. They are independent owners of their data and determine how the data is used.
Below we highlight the individual rights granted by the GDPR, explain what they mean in practice, and describe how your organization can adapt.
The 8 GDPR Rights:
1. Right to Be Informed
GDPR Articles: 12, 13, 1
What does it mean to individuals? Before data is collected, a data subject has the right to know how it will be collected, processed, and stored, and for what purposes.
How to address it in my organization? Create easy-to-read policies that provide explicit details on what information is being stored on an individual—and how it will be used. Ensure all data collection processes place informing the user before the collection of data.
2. Right to Access
GDPR Articles: 12, 15
What does it mean to individuals? After data is collected, a data subject has the right to know how it has been collected, processed, and stored, what data exists, and for what purposes.
How to address it in my organization? Implement a process and the technical capabilities to:
a) Track all data relating to the requester in your systems,
b) Vet a right to access request, and
c) Provide that information to the requester.
These processes could involve considerable manual efforts that divert your staff from other critical projects. You can simplify the work by automating these processes and implementing access logging. When transferring information either to the data subjects or third parties, make sure its secure by using secure managed file transfer.
3. Right to Correction ("Rectification")
GDPR Articles: 12, 16
What does it mean to individuals? A data subject has the right to have incorrect or incomplete data corrected.
How to address it in my organization? Implement a process and the technical capabilities to:
a) Vet a right to access request,
b) Correct the data, and
c) Confirm correction to the requester.
As this also applies to data your organization passed on to third parties, you need a process to securely inform them of the correction. Support your implementation by automating processes and using secure managed file transfer.
4. Right to Erasure (Right to Be Forgotten)
GDPR Articles: 12, 17
What does it mean to individuals? A data subject has the right to have personal data permanently deleted.
How to address it in my organization? Implement a process and the technical capabilities to:
a) Track all data relating to requester in your systems,
b) Vet a right to erasure request,
c) Erase all data in the request, and
d) Confirm that erasure to the requester.
In addition, implement processes and technical capabilities to:
- Automatically delete data after a determined retention period, unless the data is still required.
- Inform other processors to whom data was passed of the request.
- Receive a right to erasure request from another data controller or processor, and to perform it.
Define a highly automated, secure process to vet incoming Right to Erasure requests, inform processors of Right to Erasure requests, erase data in response to Right to Erasure requests, and to automatically erase data that is no longer required, such as after legal retention periods end.
5. Right to Restriction of Processing
GDPR Articles: 12, 18
What does it mean to individuals? A data subject has the right to block or suppress personal data being processed or used.
How to address it in my organization? Implement a process and the technical capabilities to:
a) Track all data relating to requester in our systems,
b) Vet a right to restriction of processing request,
c) Pause processing without erasing the data, and
d) Confirm the restriction in processing to the requester.
Define an automated and secure process to vet incoming Right to Restriction of Processing requests, inform processors of the requests, and to restrict (pause) the processing of data.
6. Right to Data Portability
GDPR Articles: 12, 20
What does it mean to individuals? A data subject has the right to move, copy, or transfer personal data from one data controller to another, in a safe and secure way, in a commonly used and machine-readable format. Wherever technically possible, this also includes the right to have the data transferred directly from one controller to another without the data subject having to handle the data.
How to address it in my organization? Implement a process and the technical capabilities to:
a) Track all data relating to requester in your systems,
b) Vet a right to data portability request,
c) Transfer data to another controller or else the requester securely, and
d) Confirm the transfer to the requester.
Automate and secure the process of vetting incoming Right to Data Portability requests, and providing the requester with access to a corresponding data package.
7. Right to Object to Processing
GDPR Articles: 12, 21
What does it mean to individuals? A data subject has the right to object to being subject to public authorities or companies processing their data without explicit consent. A data subject also has the right to stop personal data from being included in direct marketing databases.
How to address it in my organization? In effect, a combination of the processes and technical capabilities for restriction, limitation, and erasure described above will suffice. Using automation and secure file transfer, define a process to vet incoming Right to Object to Processing requests, and to inform processors of the request.
8. Right to Not Be Subject to Automated Decision Making
GDPR Articles: 12, 22
What does it mean to individuals? A data subject has the right to demand human intervention, rather than having important decisions made solely by algorithm.
How to address it in my organization? Inform people that they will be subject to algorithmic decision-making and that they can opt out of it. Implement a process and the technical capabilities to:
a) Track all data relating to requester in our systems,
b) Vet an Article 22 request,
c) Revert the algorithmic decision, and
d) Provide all information to a human decision-maker.
Assist your implementation by defining a process to vet incoming Right to Not Be Subject to Automated Decision Making requests, to inform processors of the request, and to pull together an information package to be used for the human decision-maker.
Additional Notes:
Rights of Data Subjects, such as the Right to Access, are normally exercised by individuals—the data subjects themselves.
In some legal contexts, such as law enforcement or security situations, the right of the data subject is replaced by the requirement of a supervisory authority to monitor or regularly audit the data processing to perform oversight.
The basic underlying requirement is the same in both cases: you must be able to vet an incoming request and satisfy the request for information, erasure, etc.
Fortra solutions can support you in your mandatory implementation of Rights of Data Subjects processes.
Our solutions aid your implementation by providing robust capabilities for process automation, access logging, and secure file transfer.
1) Process Automation
The Rights of Data Subjects require you to define and document a corresponding business process. Automation allows you to streamline those processes, ensuring high efficiency and providing a consistent response to these service requests.
Most of these processes will consist of manual elements and automated or automatable elements. For example, the vetting of an incoming Right to Access request may include a manual verification of ID documents. Fortra offers solutions that can help you create such hybrid manual-automatic processes, including Automate, Webforms, and Sign Here.
2) Access Logging
The Right to Access means you must provide, on request, information about which personal data was collected and how it was changed and read after the initial data collection. To capture this information, manual processes are insufficient. In addition to clearly documenting your data flows, you need to automatically log accesses to personal data and to be able to query that information.
Fortra offers solutions to capture and log different data access. For the IBM i world, we offer logging and reporting capabilities in our data security solutions Powertech Exit Point Manager for IBM i, Powertech Command Security for IBM i, Powertech Authority Broker for IBM i, Powertech Compliance Monitor for IBM i, and Powertech Database Monitor for IBM i. Logging capabilities are also built into our managed file transfer solution, GoAnywhere MFT.
3) Secure File Transfer
Implementing Rights of Data Subjects processes requires you to move data securely from point A to point B. A Right to Access process, for instance, requires you to provide the requestor with a package of all the personal data that you have gathered on her, as well as on how that data was subsequently processed and accessed.
As this collection itself represents personal data, the same safeguards apply as to the originally gathered data, including the need to protect this information at rest and in transit.
Providing such a package may also require data to first be pulled together from different departments inside your organization, or even from different companies within the enterprise, before being assembled into a single package to be provided to the customer.
Our solution GoAnywhere Managed File Transfer provides you with the capability to transfer or make accessible such sensitive information packages in a secure manner. In addition, thanks to GoAnywhere's automation capabilities, you can also integrate the provision of data into a more complete Right to Access workflow built on Fortra automation solutions mentioned above.
To learn more about GDPR and the rights of data subjects, see these useful resources:
- The full text of GDPR in 24 languages
- Article 29 working group guidelines on data portability
- The European Data Protection Supervisor on rights of data subjects
You can also watch our webinar Meeting GDPR Compliance with GoAnywhere MFT or check out our resource page about GDPR compliance for file transfers.
