4 minute read time

Data Discovery for Data Subject Rights

by   in Cybersecurity

Data discovery is one of the most basic but critical activities to fulfil some of the key privacy requirements outlined in GDPR. For understanding the data privacy requirements and role of data discovery in detail, check out our recent blog, How Important is Data Discovery?

Data Discovery for Data Subject RightsThe GDPR provides data subjects with the power to take control of their own data through data subject rights. Data discovery is a key element when we talk about fulfillment of data subject rights. In order to fulfill the requirements, it is important to understand each of these requests in detail. The GDPR has delineated eight rights of data subjects to give more control over their personal data collected by an organization.

Below we have listed those eight data subject rights and brief explanation about each right:

  1. Right of access - GDPR Article 15: -

Under the GDPR, it states that “Individuals have the right to access and receive a copy of their personal data.” Using this right, an individual can request an organization to provide access/copy of the personal data collected about an individual.

  1. Right to rectification - GDPR Article 16: -

With this right, an individual can raise a request to rectify inaccurate personal data concerning to the data subject. An organization should be able to receive the request, verbally or in writing, and take required steps to fulfil the requirement of keeping the personal data accurate and complete.

  1. Right to erasure or right to be forgotten - GDPR Article 17: -

An individual can request an organization to erase any personal data concerning him or her within stipulated time.

  1. Right to restriction of processing - GDPR Article 18: -

With right to restrict, an individual can request an organization for restriction or suppression of processing of their personal data.

  1. Right to be informed: -

In the GDPR, individuals are given the right to be informed about the collection and usage of their personal data. An organization needs to maintain transparency by providing individuals with information like the purpose for processing, how long personal data shall be retained, and who it will be shared with.

  1. Right to data portability – GDPR Article 20: -

With the right to data portability, an individual may be entitled to move, copy, or transfer personal data. The data subject may obtain personal data from a data controller in a format to reuse for another context or to transmit the data to another data controller.

  1. Right to object - GDPR Article 21: -

In the GDPR, an individual has the right to object to processing personal data and the request can be submitted verbally or in writing. An organization needs to respond to the data subject within 1 month.

  1. Rights related to automated decision-making including profiling – GDPR Article 22: -

An individual has right to not be subject to an automated processing leading to decision making or profiling. For automated decision-making or profiling, organization should give individuals with the information about processing and mechanism to object.

eight data subject rights

Within the GDPR, it is stated that an organization must respond to the data subject request quickly and it must be no later than one calendar month. In order to fulfil Data Subject Rights like right to access, right to rectification, right to erasure, right to data portability, it is very crucial to first identify personal data stored in different data sources of an organization. 

Let’s look at an example to see the relevance of data subject rights and data discovery.

Example: Imagine ABC Company is using cloud platforms like SharePoint and Amazon S3 as means of storage and sharing information. XYZ Employee was working for ABC Company in the past, and he wants to know what all personal data was collected and stored by the company in past.  

What should be the first step to fulfil the data subject request? The answer is to start by reviewing all the different data sources (in this example, SharePoint and Amazon S3) and share it with XYZ Employee in a timely manner. Similarly for the data subject request stated above, it will be essential to have the right strategy and tools in place to classify personal data accurately and within timely manner.

While working with different data sources like SharePoint or Amazon S3, the major issue is to identify personal data of an individual from different files which can be of various formats. If an organization starts manually scanning different repositories and multiple files with different types, it would be a never-ending process.

CyberRes Voltage can help an organization to discover structured and unstructured data like this through its advanced solutions.

Structured Data Manager and File Analysis Suite

Structured Data Manager (SDM) offers data discovery, insight, protection, and management features. File Analysis Suite (FAS) has capabilities of finding sensitive data and classifying high-risk data. Each of these solutions has specific capabilities that help an organization identify and protect data. These include:

  • Structured Data Manager:
    • Privacy protection
    • Data discovery
    • Test data management
    • Data management
  • File Analysis Suite:
    • Risk Assessment for sensitive data
    • Classification of sensitive data
    • Scan and classify documents with varied formats

Structured Data Manager offers variety of built-in integrations like Vertica, SecureData, Content Manager and Amazon S3. File Analysis Suite has the ability to connect with known data source types like SharePoint, Teams, Office 365, Google Drive, Azure files and many more. FAS also has the capability to build custom integrations using FAS REST API.

More Resources

Now you can Request a Free Live Demo of FAS. Join our File Analysis Suite Community. Have technical questions about File Analysis Suite? Visit the File Analysis Suite discussion Forum. Keep up with the latest Tips & Info about File Analysis Suite. We’d love to hear your thoughts on this blog. Log in or register to comment below. 

Labels:

Data Privacy and Protection