The Data Subject Rights Episode
Transcript
Introduction to the Guest and Topic:
Host Ally Krings introduces Suzette Corley, a Privacy Auditor at Kirkpatrick Price. The conversation centers on data subject rights and how organizations can uphold these rights to safeguard personal data. Suzette shares her journey into privacy auditing, which began out of curiosity and evolved into a passion for educating businesses on compliance and data protection.
What is a Privacy Auditor?
A privacy auditor evaluates an organization’s compliance with privacy frameworks such as GDPR and CCPA. The role involves understanding business processes, interviewing teams, and applying privacy standards to ensure data is handled responsibly. Suzette explains that privacy auditing is a dynamic and constantly evolving field, requiring professionals to stay current with changing regulations.
What Are Data Subject Rights?
Data subject rights are legal and ethical entitlements that allow individuals to control their personal data. These rights include the ability to access, correct, delete, and control how data is shared or processed. Laws like GDPR and CCPA formalize these rights, but honoring them is also considered good business practice because it builds trust and prevents reputational harm.
Why Honor Data Subject Requests?
Even in states without privacy laws, honoring requests is increasingly common because it simplifies operations and demonstrates accountability. Ignoring requests can lead to negative publicity and customer dissatisfaction. Many organizations now choose to honor requests universally rather than segmenting by jurisdiction.
How Do Jurisdictions Affect Compliance?
GDPR set the global standard for privacy rights, while U.S. state laws vary. Companies often adopt the strictest standard to cover all jurisdictions. For example, GDPR requires responses within 30 days, while CCPA allows 45 days. Using the shortest timeline ensures compliance across regions.
Examples of Data Subject Rights:
- Right to Access: Individuals can request a copy of all personal data an organization holds, presented in a clear and understandable format.
- Right to Object: Individuals can object to targeted advertising or the sharing of their data with third parties.
- Right to Data Portability: Individuals can request their data in a readable format to transfer to another provider, often followed by a deletion request.
Why Do These Rights Matter?
Beyond convenience, these rights protect individuals from unwanted data sharing and excessive profiling. They also give people control over how their information is used, which is critical for maintaining trust in a digital economy.
Controllers vs. Processors:
Controllers decide how data is used, while processors act on instructions from controllers. Most data subject rights apply to controllers, but processors may assist in fulfilling requests under contractual obligations. Some companies serve as both, depending on the type of data they manage.
Privacy Notices and Disclosures:
Privacy notices should clearly state what data is collected, how it is used, who it is shared with, retention periods, and instructions for exercising rights. These notices are typically linked at the bottom of webpages or emails, though few users read them. Companies must ensure notices are accessible and written in plain language.
Checklist for Compliance:
Suzette recommends organizations:
- Develop clear policies outlining how rights are handled.
- Train frontline teams to escalate requests properly.
- Map data to understand where it resides and who processes it.
- Implement tracking systems for requests and responses.
- Secure data transfers using encryption or secure portals.
- Document legal reasons for denying requests and provide respectful explanations.
- Continuously update policies and monitor regulatory changes.
Final Thoughts:
Honoring data subject rights is not just a legal obligation—it’s a business imperative. Organizations that prioritize transparency and compliance build stronger relationships with customers and reduce risk. Suzette emphasizes that privacy programs should evolve continuously to keep pace with changing laws and technologies.
Notes
The Data Subject Rights Episode
In this episode, Host Allie Krings sits down with Suzette Corley, Privacy Auditor, to learn more about Data Subject Rights. It’s not just about checking a compliance box; it’s about building trust and keeping data safe in a world where privacy matters more than ever.
GDPR Fundamentals: Data Subject Rights & Video
GDPR Personal Data and Subject
Data Subjects and their Rights
Data Subject Access Request Tips
At KirkpatrickPrice, we’re on a mission to help 10,000 organizations raise the bar for cybersecurity and compliance. Join Our Cybersecurity Mission. If you’re going to invest in an audit, it should deliver real value. That’s why we partner with you from audit readiness to final report, ensuring you get the assurance you deserve.
Ready to strengthen your security and compliance posture? Connect with an expert today and learn how we can help you meet your toughest goals.
Send a Question
Do you have a question for our podcast? Send it to us here.
