Security compliance Designing security programs GDPR ISO 27701 SOC 2

Navigating GDPR: How to protect data subject rights

Privacy regulations around the world are expanding exponentially as technology advances and customers demand more control and transparency into the use of their personal data. The GDPR has been at the forefront of the digital privacy conversation, and any business that interacts with EU customers is required to abide by it. One of the concepts at the core of the GDPR’s provisions — and other privacy frameworks like ISO 27701 and SOC 2 with privacy — is data subject rights.

Read on to learn what data subject rights are and how you can transform them from philosophical statements to concrete security controls, ensuring your company meets GDPR requirements and can prove compliance.

Breaking down data subject rights under GDPR

The GDPR empowers individuals with a number of rights concerning their personal data:

  1. 1. The right to be informed: Individuals have the right to know how their personal data is being used. Organizations are required to be transparent about how they process personal information.

  2. 2. The right of access: Individuals can request access to their personal data. This means they can ask an organization to share what personal information it has about them.
  4. 3. The right to rectification: If personal data is inaccurate or incomplete, individuals have the right to have it corrected.
  6. 4. The right to erasure: Also known as the right to be forgotten, this allows individuals to request the deletion or removal of their personal data when there is no compelling reason for its continued processing.
  8. 5. The right to restrict processing: Individuals have the right to block or suppress processing of their personal data under certain conditions.
  10. 6. The right to data portability: This right allows individuals to obtain and reuse their personal data for their own purposes across different services. It enables them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
  12. 7. The right to object: Individuals have the right to object to the processing of their personal data in certain circumstances, including processing for direct marketing, research, and statistical purposes.
  14. 8. The right to not be subject to automated decision-making: Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

These rights are fundamental to the GDPR, but they are also quite broadly worded, making it a challenge to know how to go about implementing them into your security program.

Data subject rights: from philosophical to practical

Strike Graph simplifies the process of reaching and proving GDPR compliance by providing a library of controls that address the GDPR’s eight data subject rights. These specific, technical language to show your company is meeting the broader requirements of the GDPR and can be used as is or customized to fit your company’s unique risks. Here are some examples.

Learn security terminology → What is a control?

The right to be informed

Strike Graph’s choice-and-consent control and privacy-notice-updates control both address the right to be informed.

Choice and consent control: The privacy notice describes the choices available to the data subject. Explicit consent is collected prior to an individual completing their registration and when personal information is to be used for a purpose not previously specified. The date and time that consent was collected are retained in the user's record. The privacy notice describes the impact of not providing personal information or withdrawing consent.

Privacy notice updates control: The entity provides notice to data subjects before the entity changes its privacy notice or as soon as the privacy notice is changed. The privacy notice is reviewed by management and legal prior to being published.

The right of access

Strike Graph’s Data-subject-authenticate control meets the requirements of right of access.

Data subject authenticate control: Procedures are in place to authenticate the identity of data subjects who request access to their personal information before they are given access to their personal information. Individuals may access their data by providing valid credentials or information. The procedures include steps to notify the data subject when there is not enough data to identify them.

The right to rectification

Strike Graph’s Data-subject-correction control ensures the right to rectification has been provided.

Data subject correction control: Procedures are in place for individuals to correct, update, and/or erase their data. If access is denied, the user is informed in writing and provided with options to appeal.

The right to erasure

Strike Graph’s erasure-of-PII control ensures customers are given the GDPR-mandated right to erasure. 

Erasure of PII: Procedures are in place to erase PII when requested by the data subject. The procedures include the timeline and delivery methods of said erasure, as well as the procedures to inform other controllers of the request for erasure. The organization's responsibilities with respect to exemptions to the data subject right to erasure are documented.

The right to restrict processing and the right to not be subject to automated decision-making

Strike Graph’s Restriction-of-processing control ensures that both the right to restrict processing and the right to not be subject to automated decision-making are honored.

Restriction of processing control: Procedures are in place to address data subjects' requests for restriction of processing. The procedures include any exemptions.

The right to data portability

Strike Graph’s PII portability control meets the requirements to give customers the right to data portability.

PII portability control: Procedures are in place to transmit PII to another controller, upon data subject request. These procedures include scenarios where the right to erasure has been requested and consideration of the rights of others.

The right to object

Strike Graph’s marketing consent control gives user the GDPR guaranteed right to object. 

Marketing consent control: The organization obtains data subject consent to use PII processed under a contract for the purposes of marketing and advertising. Providing consent is not a condition for receiving the service.

Why implement subject data rights controls?

Each of these controls plays a critical role in protecting customer data and ensuring your business remains compliant with GDPR. Beyond compliance, they represent your commitment to respecting and safeguarding your customers' privacy rights. Proof of GDPR compliance is a pivotal trust asset that distinguishes your business. Here's why it's essential:

Building trust

Committing to GDPR with tools like Strike Graph signals to customers you’re serious about data security and privacy, which inspires trust. That trust is the key component in winning more and larger contracts and maintaining customer loyalty.

Competitive edge

When it comes to making a final decision on who to do business with, customers put a lot of weight on how trustworthy your company is. It makes sense — for both individuals and businesses, data breaches can be devastating. When you demonstrate GDPR compliance, you’re putting yourself a step ahead of your competition.

Enhancing revenue

Trust drives customer choices, leading to increased retention and acquisition. By prioritizing GDPR compliance, you're not just avoiding fines — you're unlocking new growth opportunities, turning customer confidence into revenue.

Leveraging Strike Graph for GDPR compliance

Strike Graph isn’t just a tool — it’s your comprehensive solution for navigating the complex terrain of GDPR compliance. Simplifying the management of data subject rights is just one of the many ways Strike Graph empowers your business to uphold the highest standards of data privacy and security.

Our suite of AI-powered features means that your compliance journey — from in-platform risk assessment to automated evidence collection and AI testing to audit prediction and integrated certification — is seamless.

Schedule a demo with one of our GDPR experts to see what a difference Strike Graph can make in your compliance journey, or check out the platform yourself with a free account.

  • copy-link-icon

    Copy URL

  • facebook-icon
  • linkedin-icon

Are you ready to build trust through cybersecurity?