Relevant GDPR Articles
- Article 12: Exercise of the Rights of the Data Subject
- Article 13, 14: Right to Be Informed
- Article 15: Right to Access
- Article 16: Right to Rectification
- Article 17: Right to Erasure (“Right to be Forgotten”)
- Article 18: Right to Restriction of Processing
- Article 19: Notification Obligation
- Article 20: Right to Data Portability
- Article 21: Right to Object
- Article 22: Object to Automated Individual Decision Making
- Article 7(3): Right to Withdraw Consent
Data Subjects Rights Trigger the Highest Penalties and Risk of Class Actions
The General Data Protection Regulation (GDPR) outlines nine distinct rights of data subjects that must be received, fulfilled, and documented by organizations. The complexities lie in the varying types of requests, finding the data to fulfill the request, the numerous exception cases when the request does not need to be fulfilled, as well as the documentation, response times, extension requests, identity validation, and security requirements for how requests are fulfilled.
Infringements of data subject rights trigger the highest penalties (4% of global revenue or 20M EUR). In addition, data subjects also have the right to receive compensation for damages suffered. What’s worrisome is that these claims are not subject to the penalty cap in GDPR; they are in addition to the penalties and are to be proportionate to the harm to the data subject.
OneTrust End-to-End Workflow Automation and Record Keeping Solution
To comply with the new data subject rights set forth in the GDPR, organizations should make it easily accessible for data subjects to submit requests. OneTrust provides a standardized way for privacy programs to receive requests and manage them in a centralized system.
Request Intake via a Fully Customizable Portal
Create a Request Intake Web Form and Portal
Build and configure web forms to capture data subject requests based on regulation-specific requirements.
Integrate the Web Portal Into Your Websites
The OneTrust-generated web forms can be fully tailored and integrated into your website with a single line of code.
Meet Your Brand Needs with Complete Customization
Ensure the end-user experience is consistent with your organization’s brand by adjusting the language, logo, color, and content of your web portal and email communications.
Out-of-the-Box Multilingual Capabilities
The OneTrust privacy research team has developed various data subject request templates with default settings, available in multiple languages. Start from one of these or build your own in the easy-to-use, drag-and-drop interface.
Enable Data Subjects to Select Their Preferred Language
When submitting a request, enable data subjects to select their preferred language for seamless request fulfillment routing. Translate all email communications into 45 languages.
Hosting Flexibility: EU Cloud, US Cloud, or On-Premises in Your Datacenter
Containerize and isolate your data in the residency location or data center of your choice. Migrate between cloud and on-premise at any time if your requirements change.
Automated Assignment Workflows
The process of receiving and fulfilling requests requires automating workflows for the privacy team, business users, and data subjects. OneTrust allows you to define the end-to-end subject request process from assignment to review and approval.
Validate the Requestor’s Identity
Validate the data subject’s identity through internal systems, API integrations, customer service processes, and third-party validation services.
Require Attachments for Identity Validation
With OneTrust, organizations can require that data subjects attach identification documents with requests to help validate identity and prevent fraud. Attachments are scanned for viruses and accompanied with reCAPTCHA.
Assignment Routing Workflows
Assign main responsibilities to privacy offices, IT teams, or business users based on the type of request and where the data resides.
Automatic Task and Sub-Task Assignment
Configure sub-tasks for relevant business and IT owners when a request is submitted. Sub-tasks help ensure each detail of a request is completed in a timely fashion by the appropriate party.
Track Deadlines and Automatically File an Extension
Document and communicate the justification if more time is needed to fulfill the request, and use the OneTrust platform to automatically file the extension if the deadline is approaching.
Control the Access, Edit, and Advancement of a Request
Leverage full control over administrative roles and permissions to ensure requests are adequately reviewed and approved.
Finding the Data and Fulfilling the Request
Link to Underlying Data Map
Search within the data inventory and map within OneTrust - or from external sources - to easily find, modify, or erase subject data.
Integrate with IT Service Management Tools
Integrate with third-party service management tools like ServiceNow or BMC Remedy to identify, track, and fulfill requests sent to IT teams.
Consolidate Requested Information from Multiple Sources
Use OneTrust to consolidate requested information from multiple disjointed approaches into a singular, unified message to the data subject.
Auto-Delete Non-Essential Data with Retention Policies
Auto-delete any attachments containing personal data after a request is adequately fulfilled.
Securely Communicate Responses to Data Subjects
OneTrust’s secure messaging portal transmits a notification to a data subject via encrypted channels to protect the communications and information being provided.
Enable two-factor authentication for an additional layer of verification and security.
Read Receipts and Two-Way Collaboration
Track and notify when your responses are read. Track follow-up requests and messages linked back to the same data subject.
Auto-Revoke Access to Data Subject Portal
After a data subject request is fulfilled, cut off end-user access to the data subject portal to prevent confusion or abuse.
Compliance Reporting, Trends, and Analytics Dashboard
Report on Compliance
OneTrust helps you maintain a complete record of data subject request activities to demonstrate compliance with data protection regulations. Capture data subject contact information, details of the request, when and how the request was completed, as well as your response to the request.
Full Audit Trail of All Changes
View the complete lifecycle of a request, including auditable details of every data subject interaction. Generate a full audit report of each data subject request.
Granularly track the raw cost of fulfilling each request to understand where further automation investments may be necessary.
View Trending Information in Visual Dashboards
Quickly view and manage data subject requests in a centralized dashboard. OneTrust provides full visibility to monitor the volume of requests, fulfillment status, and any aging requests or outliers.
Why OneTrust Data Subject Rights?
- Insightful metrics into request costs and trends for clear value and internal ROI metrics
- Deep regulatory guidance-based privacy research, reporting, and built-in templates
- Self-service deployment or additional support from the OneTrust implementation team
- Fully scalable solution for small and medium businesses to large multinational enterprises
- Multi-lingual product translated by OneTrust’s in-house, privacy-trained localization team
- Flexible and modular pricing structure to meet program maturity and budgetary uncertainties
- Out-of-the-box ready solution with a highly tailorable and customizable platform
- Deployment flexibility in EU cloud, US cloud, or on-premises with the ability to migrate
- Available as stand-alone module or as part of OneTrust’s comprehensive and integrated platform