To remain GDPR-compliant under a GDPR DSAR request, it’s vital to understand how the regulation defines personal data.
Personal data refers to any piece of information that identifies an individual; examples include names, email addresses, location data, ethnicity, religion, and political opinions, as well as biometric information such as fingerprints or web cookies.
Everything that identifies someone can fall under its purview.
Companies need a legal basis for processing personal data. There are six requirements they should fulfill to do this legally:
The seven core principles at the heart of GDPR should form the cornerstone of any data protection strategy. Established at the outset of this legislation and providing direction for what follows thereafter, they offer no absolute rules but rather reflect its essence; compliance with their spirit is crucial for maintaining sound information protection practices as well as meeting any specific provisions found within Part 3.
The first principle states that personal data must be processed legally. This requires having a valid legal basis for doing so, such as consent or fulfilling contractual obligations.
Remember to clearly communicate the purposes for collecting personal data to individuals through a privacy notice; this can provide essential transparency and help prevent data misuse or unfair treatment.
Finally, the second principle states that personal data should only be collected as needed for your purposes. Don’t collect more than is actually required, and make sure to conduct regular reviews of your database to ensure you only keep information for as long as necessary.
Protecting personal data with appropriate technical and organizational measures is also required of you under GDPR DSAR to prevent data breaches that can harm both individual users as well as your organisation’s reputation.
GDPR’s right to be informed principle requires businesses to disclose how they will use personal data, including collection methods and purposes, legal bases, legitimate interests pursued, who they will share it with, withdraw consent, or file complaints with authorities, as well as “active informed consent”, meaning not simply ticking a box or remaining silent on online forms that collect personal information.
Both controllers and processors must keep records of the processing activities they engage in—a significant shift from previous laws in Europe, where no records were required of third parties. Information must be made available upon request; digital record-keeping systems are recommended as they make amendments simpler.
This regulation applies to any organisation that holds or processes personal data within the EU, regardless of where their headquarters lie. Furthermore, its extraterritorial reach extends to any controller or processor who offers goods or services to data subjects within Europe or monitors behaviour taking place within it, including websites with no physical presence but offering free travel information to visitors from that region.
The right of access provides people with the opportunity to discover whether data is being processed about them and, if that is indeed the case, gain access to it and verify its accuracy and lawful processing.
Simply stated, when receiving a request from a data subject for their personal data to be disclosed, you must provide them with an overview of all categories being processed as well as copies. Furthermore, these should include descriptions of why and who this data has been transferred to, as well as details on any third parties to whom this has been disclosed.
This right aims to increase transparency regarding the use of people’s personal data by organisations and bring this transparency directly to citizens. Adopted in 2016 and finally put into force in May 2018, this right has become part of Europe’s commitment to adapting for digitalization. Research has also indicated that exercising one’s rights in a collective manner may increase effectiveness; simultaneously making requests can set a standard for quality replies while prompting organisations to become better data stewards.
Article 17 also recognises an individual’s right to be forgotten, or “the right to erasure”, allowing them to request that their personal data be erased from any systems and inform any other organisations with access or copies that the information should also be deleted from those as soon as it arrives in their system. When receiving such requests from data subjects, organisations are obliged to delete such personal information immediately from their systems while also notifying any others who may possess copies or links, allowing for its safe disposal.
Before removing someone’s personal information, data controllers are required to conduct identity verification procedures, and if their request seems manifestly unreasonable or excessive, they must inform both them and any organisations holding that data about why their request has been denied.
If a data subject requests that their information be deleted, organisations must respond within 30 days and inform them of their right to complain to the Information Commissioner’s Office or court, with exceptions made when necessary for legal claims or scientific or historical research in the public interest. Many organisations find this aspect of GDPR compliance challenging.
The right to data portability aims at rectifying an imbalance in power between platform users and companies that own them by enabling individuals to take their personal information with them when leaving one service for another, which may offer more privacy protections.
Data portability differs from access in that it only includes data voluntarily provided to you or processed during observation of their activities by individuals themselves (which should be clear from their request) as well as certain data processed through connected objects like smart metres and wearables, for example, heart rate information from health devices or raw data from smart metres, wearables, or connected objects; it does not cover additional data created based on this original source, such as user profiles created subsequently based on this original source of data.
Also excluded from data portability requests are processing activities conducted to fulfil legal obligations, perform tasks in the public interest, or comply with legal obligations. So for instance, if you’re a financial institution and process data to combat money laundering and other forms of crime prevention, then data portability requests would likely not apply; nonetheless, it would still be wise to have an internal policy for recording verbal requests and making sure staff recognise them correctly.
Privacy by Design (PbD) is an approach to data processing system development that ensures security from its inception. Organisations using PbD must consider potential unintended privacy breaches prior to building systems and ensure they contain default procedures that minimise data collection and processing.
Organisations must also facilitate people exercising their rights under various privacy laws as easily as possible, for example, by making it simple for individuals to access them. A company cannot compel users to agree with its sharing of personal data with third parties by placing an obscure pre-ticked box at the bottom of a form; they need an easy way for users to withdraw consent at any time and easily.
Article 25 of the General Data Protection Regulation lays out the principles of privacy by design and is binding for all companies that process EU citizens’ personal data. In order to comply with GDPR requirements, companies must demonstrate they have implemented privacy by design in their processes and have adhered to its seven principles.
Reaching this goal requires an organisation to adapt its culture in order to embrace privacy by design. Furthermore, all staff involved with product and service development should receive sufficient basic privacy training in order to incorporate necessary safeguards into their designs.
The General Data Protection Regulation (GDPR) is one of the strictest sets of privacy laws ever.
If your company processes personal data about EU citizens, then compliance with its seven core principles:
An understanding of each of the six official GDPR principles will make becoming compliant easier, so this article explores each principal in detail while offering practical suggestions on how to implement them, such as conducting data mapping exercises and sharing that documentation with staff.
Principle 2 furthers this requirement by mandating that you be clear with customers about what’s happening with their data and why. You can accomplish this by clearly explaining your reasons for processing it and seeking their explicit permission prior to using it for other purposes. Furthermore, Principle 2 mandates that any data collection should only serve its stated purpose rather than unstated ones.
As is evident, becoming GDPR-compliant involves many moving parts. But with this quick guide as your foundation, your journey towards GDPR compliance should proceed more smoothly.