General Data Protection Regulation: Data Subject Rights Breach Notification
General Data Protection Regulation: Data Subject Rights Breach Notification
General Data Protection Regulation: Data Subject Rights Breach Notification
After four years of preparation and debate the GDPR was finally approved by the EU
Parliament on 14 April 2016. It was enforced on 25 May 2018 – and organizations that are
not compliant could now face heavy fines.
Breach Notification Under the GDPR, breach notifications are now mandatory in all
member states where a data breach is likely to “result in a risk for the rights and freedoms
of individuals”. This must be done within 72 hours of first having become aware of the
breach. Data processors are also required to notify their customers, the controllers,
“without undue delay” after first becoming aware of a data breach.
Right to Access
Part of the expanded rights of data subjects outlined by the GDPR is the right for data
subjects to obtain confirmation from the data controller as to whether or not personal data
concerning them is being processed, where and for what purpose. Further, the controller
shall provide a copy of the personal data, free of charge, in an electronic format. This
change is a dramatic shift to data transparency and empowerment of data subjects.
Right to be Forgotten
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data
controller erase his/her personal data, cease further dissemination of the data, and potentially have
third parties halt processing of the data. The conditions for erasure, as outlined in article 17,
include the data no longer being relevant to original purposes for processing, or a data subject
withdrawing consent. It should also be noted that this right requires controllers to compare the
subjects’ rights to “the public interest in the availability of the data” when considering such
requests.
Data Portability
GDPR introduces data portability – the right for a data subject to receive the personal data
concerning them – which they have previously provided in a ‘commonly use and machine-readable
format’ and have the right to transmit that data to another controller.
Privacy by Design
Privacy by design as a concept has existed for years, but it is only just becoming part of a legal
requirement with the GDPR. At its core, privacy by design calls for the inclusion of data protection
from the onset of the designing of systems, rather than an addition.
Data Protection Officers
Importantly, the Data Protection Officer: