IAPP | OneTrust Webinar – Subject Access Rights: GDPR Implementation Guide
Subject Access Rights: GDPR Implementation Guide
Broadcast date: Wednesday, December 6, 2017
8:00 – 9:00 a.m. PST, 11:00 a.m. – 12:00 p.m. EST, 4:00 – 5:00 p.m. UTC
The GDPR grants data subjects new rights including: data portability, access to their data, erasure or “the right to be forgotten,” and rectification. For data controllers, there are specific record-keeping requirements around the time to respond, the ability to request an extension, the requirement to validate the identity, and securely transmitting the response to the individual. Join us for this educational web conference to hear about the new rights of data subjects and how organisations can use privacy management software to streamline and automate requests, validation, and notification processes.
Brian Philbrook, CIPP/E, CIPP/US, CIPM, CIPT, Privacy Counsel, OneTrust
• Dr. Andreas Splittgerber, Technology and Privacy Lawyer, Reed Smith LLP, Germany
Eligible CPEs: CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, and CIPT
1.0 CPE credit
The GDPR goes into effect on 25 May 2018, and outlines distinct data subject rights for EU customers and employees:
- Article 12: Exercise of the Rights of the Data Subject
- Article 13 & 14: Right to Be Informed
- Article 15: Right to Access
- Article 16: Right to Rectification
- Article 17: Right to Erasure (“Right to be Forgotten”)
- Article 18: Right to Restriction of Processing
- Article 19: Notification Obligation
- Article 20: Right to Data Portability
- Article 21: Right to Object to Processing
- Article 22: Right to Object to Automated Individual Decision Making
- Article 7(3): Right to Withdraw Consent
These GDPR Articles have also created new operational requirements for organisations to “facilitate” the requests (Art 12(2); Rec 59) both “electronically” (Art 12(1), (3); Rec 59), and within a specified time-period (Art 12(3); Rec 59), through demonstrable record keeping (Art 5; Rec 39) and clear communication (Art 12(1); Rec 58). Thus, international organisations, across size and sector, are significantly transforming their business processes to comply with the new data subject rights obligations.
Non-compliance and infringements of data subject rights triggers the highest tier of administrative fines in the GDPR – up to 4% global revenue, or €20M. Perhaps more concerning is that data subjects are granted the right to seek compensation for damages suffered (Art 82; Rec 146), which is why many regulators and industry experts expect the new regulations to lead to an increased risk of class action law suits and brand/reputation damage if companies fail to properly meet the rights of data subjects.