Understanding Data Subject Rights

Under GDPR and similar regulations, individuals (data subjects) have specific rights regarding how their personal data is collected, used, and stored. Organizations must be prepared to respond to these requests appropriately. **Key Data Subject Rights** 1. **Right to be informed**: Individuals must be told how their data will be used 2. **Right of access**: People can request copies of their personal data 3. **Right to rectification**: Inaccurate data must be corrected upon request 4. **Right to erasure**: Also known as the "right to be forgotten" 5. **Right to restrict processing**: Individuals can limit how their data is used 6. **Right to data portability**: Data must be provided in a usable format 7. **Right to object**: Individuals can object to certain types of processing 8. **Rights related to automated decision-making**: Protection from purely automated decisions **Handling Data Subject Requests** - Verify the identity of the requester - Respond within the required timeframe (typically 30 days) - Document all requests and responses - Escalate complex requests to the appropriate team - Never ignore or delay responding to legitimate requests **When Employees Receive Requests** If an employee receives a data subject request: - Do not attempt to handle it independently - Forward it immediately to the designated privacy contact - Record when and how the request was received - Do not delete or modify any data until instructed