Relevant GDPR Articles
- Article 12: Exercise of the Rights of the Data Subject
- Article 13, 14: Right to Be Informed
- Article 15: Right to Access
- Article 16: Right to Rectification
- Article 17: Right to Erasure (“Right to be Forgotten”)
- Article 18: Right to Restriction of Processing
- Article 19: Notification Obligation
- Article 20: Right to Data Portability
- Article 21: Right to Object
- Article 22: Object to Automated Individual Decision Making
- Article 7(3): Right to Withdraw Consent
Data Subjects Rights Trigger the Highest Penalties and Risk of Class Actions
The General Data Protection Regulation (GDPR) outlines nine distinct rights of data subjects that must be received, fulfilled, and documented by organizations. The complexities lie in the varying types of requests, finding the data to fulfill the request, the vast and granular exception cases when the request does not need to be fulfilled, as well as the documentation, response times, extension requests, identity validation, and security requirements of how the requests are fulfilled.
A little-known fact about the GDPR is that it includes two separate tiers of fines for non-compliance: the first tier is a fine of up to 2% of global revenue (or 10M EUR,) and the second tier is a fine of up to 4% of global revenue (or 20M EUR). Infringements of data subject rights trigger the highest 4% tier (Article 83(5)).
In addition to these penalties, data subjects also have the right to receive compensation for damages suffered. What’s worrisome is that these claims are not subject to the penalty cap in GDPR; they are in addition to the penalties and are to be proportionate to the harm to the data subject.
Data protection authorities are investing in public relations and communications campaigns to educate the public about these new, important rights. As a result, many organizations speculate that this may create an industry around class action lawsuits, increase the volume of requests received, and draw scrutiny on how organizations handle, fulfill, and record data subject requests.
OneTrust End to End Workflow Automation and Record Keeping Solution
To comply with the new data subject rights set forth in the GDPR, organizations should make it easily accessible for data subjects to submit requests. OneTrust provides a standardized way for privacy programs to receive requests, and manage them in a centralized system.
Request Intake via a Fully Customizable Portal
Create a Request Intake Web Form and Portal
Build and configure web forms to capture data subject requests based on regulation-specific requirements.
Integrate the DSAR Portal Into Your Websites
The OneTrust-generated web forms can be fully tailored and integrated into your website with a single line of code.
Out-of-the-Box Multilingual Templates
The OneTrust privacy research team has developed various Data Subject Request templates with default settings, available in multiple languages. Start from one of these or build your own in the easy-to-use drag-and-drop interface.
Hosting Flexibility: EU Cloud, US Cloud, or On-Premises in Your Datacenter
Containerize and isolate your data in the residency location or data center of your choice. Migrate between cloud and on-premise at any time if your requirements change.
Automated Assignment Workflows
The process of receiving and fulfilling requests requires automating workflows for the privacy team, business users, and data subjects. OneTrust allows you to define the end-to-end subject request process from assignment to review and approval.
Validate the Requestor’s Identity
Validate the data subject’s identity through internal systems, API Integrations, customer service processes, and third-party validation services.
Assignment Routing Workflows
Assign subject requests to other privacy officers, IT teams, or business users based on the type of request, and where the data resides in the company’s applications.
Track Deadlines and Automatically File an Extension
Document and communicate the justification if more time is needed to fulfill the request, and use the OneTrust platform to automatically file the extension if the deadline is approaching.
Finding the Data and Fulfilling the Request
Link to Underlying Data Map
Search within the data inventory and map within OneTrust, or from external sources, to easily find, modify, or erase subject data.
Integrate with IT Service Management Tools
Integrate with third party service management tools like ServiceNow or BMC Remedy to identify, track, and fulfill requests sent to IT teams.
Consolidate Requested Information from Multiple Sources
Use OneTrust to consolidate requested information from multiple disjointed approaches into a singular, unified message to the data subject.
Securely Communicate Responses to Data Subjects
OneTrust’s secure messaging portal transmits a notification to a data subject via encrypted channels to protect the communications and information being provided.
Enable two-factor authentication for an additional layer of verification and security on the data subject.
Read Receipts and 2-Way Collaboration
Track and notify when your responses are read, and track follow-up requests and messages linked back to the same data subject.
Compliance Reporting, Trends, and Analytics Dashboard
Report on Compliance
OneTrust helps you maintain a complete record of data subject request activities to demonstrate compliance with data protection regulations. Capture data subject contact information, details of the request, when and how the request was completed, and your response to the request.
Granularly track the raw cost of fulfilling each request to understand where further automation investments may be necessary.
View Trending Information in Visual Dashboards
Quickly view and manage data subject requests in a centralized dashboard. OneTrust provides full visibility to monitor the volume of requests, fulfillment status, and any aging requests or outliers.
Why OneTrust Data Subject Rights?
- Insightful metrics into request costs and trends for clear value and internal ROI metrics
- Deep regulatory guidance-based privacy research, reporting, and built-in templates
- Option for self-service deployment or additional support from the OneTrust implementation team
- Fully scalable solution for small and medium businesses to large multinational enterprises
- Multi-lingual product translated by OneTrust’s in-house, privacy-trained localization team
- Flexible and modular pricing structure to meet program maturity and budgetary uncertainties
- Out-of-the-box ready solution with a highly tailorable and customizable platform
- Deployment flexibility in EU cloud, US cloud, or on-premises with the ability to migrate
- Available as stand-alone module or as part of OneTrust’s comprehensive and integrated platform