Today Alston & Bird’s Peter Swire and DeBrae Kennedy-Mayo, with support from Senzing, Inc., are publishing a White Paper titled The Importance of Accurate Retrieval of Data Subjects’ Personal Data in Complying with GDPR Individual Rights Requirements.
The General Data Protection Regulation, which enters into effect on May 25, 2018, goes considerably beyond existing law in setting forth individual rights that allow data subjects to control how their personal data is used. This Paper addresses an important issue for implementing individual rights – how can those companies who process data ensure that they uniquely identify data subjects when administering their data subject rights?
In responding to individual rights requests, the ad hoc measures that many companies have employed to date may in many instances no longer be sufficient to comply with the GDPR. Companies that process personal data face greatly increased potential fines. These companies – both the controllers who determine how personal data may be used, and the processors who act on their behalf – thus have strong reason to discover and implement effective measures to respond to requests to uphold individual rights.
This Paper briefly describes the individual rights that are most salient under the GDPR, including the right of data subjects to access their personal data and rectify inaccuracies in such data. It then examines key technical issues for pulling together the relevant data in a company’s many databases, while excluding the irrelevant data. The Paper highlights two crucial goals for processing individual rights requests:
- One requirement is for accurate “entity resolution,” which means linking the relevant data with each person.
- Another requirement is to achieve this entity resolution while acting consistently with the many other requirements of the GDPR, including data minimization and avoiding the violation of other data subjects’ rights, such as ensuring that personal data is released to the correct data subject in the context of a data access or portability request.
This Paper analyzes the appropriate technical measures required by GDPR’s Data-Protection-by-Design requirements. To comply with the goals and requirements of the GDPR, companies should carefully examine their systems’ abilities of responding to individual rights requests such as the right to access. The GDPR drives the use of technology to achieve compliance. The GDPR particularly mandates that the “state of the art” and “the cost of implementation” should be taken into account when a company is determining the appropriate technical measures to use.