Law.com Subscribers SAVE 30%
Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
Five Smart Steps to Prepare for GDPR Data Subject Rights
Many corporations around the globe are preparing for May 2018, when Europe's General Data Protection Regulation (GDPR) enforcement kicks in. The regulation encompasses a wide range of nuanced privacy requirements that can be challenging to operationalize. In particular, requirements around the rights of European data subjects — which include the right to be forgotten and rights to access, rectification and objection to processing — will be some of the most difficult to address.
The GDPR states that individuals should have the right to access their personal data so that they are aware of and can verify the lawfulness of its processing. Requests must be responded to promptly, within one month, leaving companies very little time to perform a task that they may not be equipped to handle. The right to be forgotten provision presents similar challenges, giving EU citizens the option to require erasure of their personal information. No barrier exists for citizens to enact these rights, and some countries are planning campaigns to educate the public on them in the coming year. The most operationally complex new data subject rights are:
- Right of Access: EU residents may at any time obtain access to their personal data (what it is, where it is stored and how it is processed) from any entity that houses this information.
- Right to be Forgotten/Right of Erasure: Individuals covered by the GDPR, may at any time require an organization that stores their personal data to dispose and erase their personal data from any and all information sources.
- Right of Data Portability: Data subjects may require an organization to transmit their personal data directly from one controller to another, requiring a company to securely migrate everything containing information on a subject to another provider when processing was based on consent or a contract.
- Right to Restrict Processing: Individuals have a right to “block” or suppress processing of personal data. When processing is restricted, an organization may store the user's personal data, but not further process it and may retain just enough information to ensure that the restriction is respected in the future. Individuals also have a right to not be subject to automated processing or profiling.
Examining what the invocation of a data subject's rights would look like in reality can underscore the importance of this issue. Take the hypothetical example of a medium-sized life insurance company that insures one million customers and must fulfill an average of one data subject access request per insured once every 2,000 years. This conservative estimate equals .05% of one million — or 50,000 requests — per year. Boiling that 50,000 down to the day equals 200 requests per day, or 25 requests per hour for a standard eight-hour work day. Consider the dedicated staff and resources that may be needed to handle such a burden. Organizations in banking, insurance, retail and other industries that involve large volumes of private customer data should realistically prepare for volumes higher than conservative estimates.
This premium content is locked for Entertainment Law & Finance subscribers only
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
- Stay current on the latest information, rulings, regulations, and trends
- Includes practical, must-have information on copyrights, royalties, AI, and more
- Tap into expert guidance from top entertainment lawyers and experts
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
The DOJ's Corporate Enforcement Policy: One Year Later
The DOJ's Criminal Division issued three declinations since the issuance of the revised CEP a year ago. Review of these cases gives insight into DOJ's implementation of the new policy in practice.
Use of Deferred Prosecution Agreements In White Collar Investigations
This article discusses the practical and policy reasons for the use of DPAs and NPAs in white-collar criminal investigations, and considers the NDAA's new reporting provision and its relationship with other efforts to enhance transparency in DOJ decision-making.
The DOJ's New Parameters for Evaluating Corporate Compliance Programs
The parameters set forth in the DOJ's memorandum have implications not only for the government's evaluation of compliance programs in the context of criminal charging decisions, but also for how defense counsel structure their conference-room advocacy seeking declinations or lesser sanctions in both criminal and civil investigations.
How AI Has Affected PR
When we consider how the use of AI affects legal PR and communications, we have to look at it as an industrywide global phenomenon. A recent online conference provided an overview of the latest AI trends in public relations, and specifically, the impact of AI on communications. Here are some of the key points and takeaways from several of the speakers, who provided current best practices, tips, concerns and case studies.
CLE Shouldn't Be the Only Mandatory Training for Attorneys
Each stage of an attorney's career offers opportunities for a curriculum that addresses both the individual's and the firm's need to drive success.