CNA EXPERTS

Data Subject Rights: What Actions Are Needed to Comply Under GDPR

By Terri Mason-Benjamin | Published April 20, 2018

The European Union's General Data Protection Regulation, or GDPR, enhances existing data subject rights previously provided for under the Data Protection Directive 95/46/EC, while also introducing new rights, which will have large implications for business that gather or process personal data. These organisations will have new obligations under the GDPR and will have to take steps to protect and comply with these rights.

These rights include the right for customers to information, to access their own personal data, correct or erase that personal data, restrict and object to data processing. They will also be able to receive a copy of their personal data or transfer it to another data controller, not be subject to automated decision-making and be notified of a data security breach.

A summary of the actions needed to safeguard these rights are:

Right of Information: Organisations need to have mechanisms in place to ensure fair and transparent processing, including adequate and clear privacy notices.

Right of Access: Organisations need to have mechanisms in place to provide access to and copies of personal data to data subjects.

Right to Rectification: Organisations need to have mechanisms in place to be able to locate all of the data subject's personal data across their systems and update as requested.

Right to be Forgotten: Organisations need to change the way they handle personal data and implement a framework through which they can respond to data subjects' requests to have their personal data erased.

Right to Restriction of Processing: Organisations need to have mechanisms in place to be able to locate all of the data subject's personal data across their systems and restrict its processing as requested and as appropriate.

Right to Data Portability: Organisations need to have mechanisms in place to provide personal data to data subjects in a structured or commonly used machine readable format.

Right to Object: Organisations need to have mechanisms in place to be able to locate all of the data subject's personal data across their systems and be able to stop processing.

Automated Individual Decision Making: Organisations need to have mechanisms in place to identify instances of decisions based solely on automated processing and to stop such processing where appropriate.

Organisations will find these actions easier to embed if they view these not as inconveniences, or try to establish the minimum requirement without facing penalties, but as restoring their customers rights. By taking these actions an organisation can empower their customers in a way that builds trust, and could end up being able to use personal data more effectively because of it.

In Canada, products and/or services described are provided by Continental Casualty Company, a CNA property/casualty insurance company. The information is intended to present a general overview for illustrative purposes only. Read CNA’s General Disclaimer.

Terri Mason-Benjamin
By Terri Mason-Benjamin
Vice President, Marketing and Distribution

Terri is responsible for CNA’s Marketing, Communications, and Broker Distribution initiatives. She leads Canada’s distribution strategy, partner relationships, and brand awareness strategy to solidify CNA’s position as a leader in the Canadian market.

 

Terri joined CNA in 2018 as Assistant Vice President, Cyber & Professional Liability, bringing over 20 years of insurance experience through senior roles at various global insurance carriers and brokers. Terri is a strong leader with deep experience in new product development, broker relations, and business planning.

 

Terri attended York University in Toronto, is a certified Registered Professional Liability Underwriter (RPLU), and is currently working toward the Certified Information Privacy Professional designation.