Data Subject Rights and Obligations in the Age of Privacy 

​

Data is the lifeblood of organizations. However, with the exponential growth of data collection and processing, there are inherent concerns about data subject rights and obligations as well as privacy and security. Data protection and privacy regulations, such as PIPEDA, GDPR, CCPA, and others, have emerged to empower individuals with control over their personal information. 

​

But what exactly are data subject rights and obligations, and how do they impact organizations and individuals alike?  

​

Understanding Data Subject Rights 

​

Data subject rights are the fundamental rights granted to individuals regarding their personal data. These rights are designed to provide transparency, control, and accountability in the processing of personal information. Key data subject rights include: 

​

1. Right to Access (Data Subject Access Request - DSAR): Individuals have the right to request access to their personal data held by an organization, including information about how it's being used. 

2. Right to Rectification: Individuals can request that inaccurate or incomplete personal data be corrected. 

3. Right to Erasure (Right to be Forgotten): Individuals can request that their personal data be deleted under certain circumstances, such as when it's no longer needed for its original purpose. 

4. Right to Restriction of Processing: Individuals can request that the processing of their personal data be restricted in certain situations, such as when they contest the accuracy of the data.    

5. Right to Data Portability: Individuals can request to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another organization.    

6. Right to Object: Individuals can object to the processing of their personal data in certain circumstances, such as for direct marketing purposes.    

7. Right Not to be Subject to Automated Decision-Making: Individuals have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect them.    

 

Examples:  

​

• DSAR and Your Right to Rectification: 

  • You: You are a loyal customer of an online retailer and notice discrepancies in your personal information displayed in your account. If you are unable to make the changes yourself using the editing functions, submit a DSAR to access your data and request rectification of the errors.  

  • The Company: Companies and organizations must handle these requests efficiently and ensure data accuracy. Failure to comply can result in regulatory penalties and reputational damage. 

     

• Right to be Forgotten: 

  • You: You were a member of a social media platform that retained your user data, even after your account was deleted. You can demand the right to be forgotten, citing concerns about privacy and potential misuse of your data. 

  • The Company: Companies and organizations must respect the right to erasure and have clear policies for data deletion. Implementing automated data retention and deletion schedules is crucial for compliance. It is also important to consider data held by third parties. 

     

• Right to Object Targeted Advertising Campaigns: 

  • You: Many marketing companies and social media platforms use sophisticated profiling techniques to target you with personalized advertisements. However, many people object to this practice, citing concerns about privacy and the lack of transparency in how their data was being used. 

  • The Company: Companies and organizations must provide clear and accessible mechanisms for individuals to exercise their right to object to direct marketing and profiling. Obtaining explicit consent for data processing is essential for building trust and ensuring compliance. 

     

• Healthcare Data Breach and the Right to Restriction of Processing: 

  • You: Your healthcare provider suffered a data breach, exposing sensitive patient information. You, as a patient, can demand that the processing of your data be restricted until the breach is fully investigated and remediated. 

  • The Lesson: In the event of a data breach, companies and organizations must be prepared to restrict data processing and provide clear communication to affected individuals. Implementing robust security measures, such as encryption and access controls, is crucial for preventing breaches. 

     

Data Subject Obligations 

​

While data protection regulations primarily focus on the obligations of data controllers and processors, data subjects also have certain responsibilities: 

​

1. Providing Accurate Information: Individuals should provide accurate and up-to-date information when interacting with organizations. 

2. Protecting Login Credentials: Individuals should take reasonable steps to protect their login credentials and avoid sharing them with others. 

3. Exercising Rights Responsibly: Individuals should exercise their data subject rights responsibly and avoid frivolous or malicious requests. 

4. Staying Informed: Individuals should stay informed about data protection regulations and their rights. 

5. Reporting Security Incidents: Individuals should report any suspected security incidents or data breaches to the relevant authorities. 

 

Organizational Obligations: Building a Culture of Privacy 

​

Organizations must implement robust data protection and privacy programs to comply with regulations and build trust with individuals. Key organizational obligations include: 

​

1. Data Protection by Design and Default: Integrating privacy considerations into the design of products and services from the outset. 

2. Data Protection Impact Assessments (DPIAs): Conducting DPIAs for high-risk data processing activities. 

3. Data Breach Notification: Notifying relevant authorities and affected individuals in the event of a data breach. 

4. Data Security Measures: Implementing appropriate technical and organizational measures to protect personal data. 

5. Data Minimization: Collecting and processing only the personal data necessary for specific purposes. 

6. Transparency and Accountability: Providing clear and concise information about data processing practices and demonstrating accountability for compliance. 

7. Data Protection Officer (DPO): Appointing a DPO in certain circumstances. 

8. Training and Awareness: Providing regular training and awareness programs for employees on data protection and privacy. 

9. Third-Party Due Diligence: Ensuring that third-party data processors comply with data protection regulations. 

 

The Path Forward: Building Trust and Ensuring Compliance 

​

Data protection and privacy regulations are not merely compliance exercises; they are essential for building trust with individuals and fostering a culture of privacy. Organizations that prioritize data subject rights and obligations will gain a competitive advantage in the marketplace and enhance their reputation. 

 

By understanding the intricacies of data subject rights and obligations, organizations can navigate the complex landscape of data protection and privacy regulations effectively. By prioritizing transparency, accountability, and respect for individual privacy, organizations can build trust with their customers and stakeholders, and create a more secure and responsible data-driven world. 

​

Disclaimer: This Learning Module is for informational purposes only and should not be considered legal security advice. For professional cybersecurity advice contact your 123 Cyber Analyst 

​

---

​

This training series is based on the CAN/DGSI 104 NATIONAL STANDARD OF CANADA Baseline cyber security controls for small and medium sized organizations (typically less than 500 employees), the Canadian Centre for Cyber Security controls and the National Institute of Standards and Technology (NIST). 

​

This tutorial is a guideline for best practices, but you are encouraged to review your company's password policy to ensure you are following your organization's procedures. 

​

---

​

If you are interested in becoming CAN/DGSI 104 compliant, or would like to join our affiliate program:

 

​