What are the Rights of Data Subjects?
Persons (i.e “Data Subjects”) are entitled to several rights in regard to their personal data, including:
- Right to be informed – about the collection and use of their personal data;
- Right of access – to their personal data;
- Right to rectification – data subjects can ask data controllers to erase or rectify inaccurate or incomplete data;
- Right to erasure – data subjects have to right to ask organizations to delete their personal data if: the data has been processed unlawfully; the organization no longer needs the data for the original purpose (and has no new lawful purpose); the organization relies on consent for processing data and person withdraws it;
- Right to restrict processing – individuals can ask organizations to restrict processing their personal data if, for example: they believe their data is not accurate (organizations should stop processing until they verify the accuracy of the data); or if the processing is unlawful but the individual doesn’t want the data erased;
- Right to data portability;
- Right to object to processing;
- Rights in relation to automated decision-making and profiling.
How can Organizations Comply with GDPR?
Compliance with the GDPR starts with a data map, a flow chart of what information is collected; where it is stored; who it’s transmitted to, and all other processes until final disposal or return of said information. Organizations must develop a compliance roadmap that identifies specific implementation tasks needed to achieve or improve alignment with the GDPR keyed to the provisions that require them. But remember that compliance is a process, rather than a project. Organizations should develop systems and empower staff to achieve compliance with the GDPR on an ongoing basis. This means developing and implementing governance, operational, and technology components within organizations in order to comply with the GDPR.
What are the Risks of Non-compliance with the GDPR?
Some of the risks associated with non-compliance are:
- Public relations fallouts;
- Loss of business;
- Fines and penalties; and
- Class action lawsuits.
Public relations fallouts can expose an organization to news and media coverage relating to a security breach in the organization, which will likely result in decreased public trust and loss of business by customers.
Loss of business relationships result with regard to other companies and organizations with whom an organization may do business with, that are within scope for GDPR compliance obligations – like for example contractors who may be required by to be compliant. These third parties may no longer be in business with your organization, as they are required to be in business exclusively with GDPR-compliant business.
Fines and Penalties, known as Regulator Fines may result out of non-compliance, including, up to 4% of annual global turnover. As an example, British Airways was fined $229 million, as was Marriott Hotels for $123 Million for GDPR violations.
Class action lawsuits may be brought by customers whose personal data was breached.
Who Enforces the GDPR?
The EU’s Information Commissioner’s Office (ICO) is responsible for enforcing GDPR.