GDPR Article 15 is Right of Access by the Data Subject.
What it is
This is where the users get to see *all* the data collected about them.
The data subject has the right to access all of the personal data that an organization is storing that is associated with them as an individual. This right is often referred to as DSAR or Data Subject Access Right.
The request goes through to the controller of the data. Once received, the controller has one month to respond. The controller must then provide the data, free of charge, in a format that the user can access.
Why it is important for the Data Subject
This Right allows data subjects the full picture of what is being stored about them. In simple products and services, this may include only their provided information. In products and services that are more heavily processed, this data may include their provided information, data about how they have used the product, and data that is inferred from their use of the product (including from connections they have or third party data).
What it means to the organization
DSAR has several components that an organization needs to address to comply with the regulation. They include, but may not be limited to:
- Creating a way for data subjects to request their data
- Authenticating the user that is making the request
- Acknowledging the request and setting expectations with the user on when data will be returned (should be within 30 days)
- Retrieving the data from the organization's systems
- Converting the format for portability (see Article 19)
- Transferring the data in a way that is safe and secure
- Implementing a process for all of the above
For smaller organizations with simple applications or services, this could be done manually. For more complicated applications and services, the DSAR can be quite daunting. Automation will greatly reduce the complication. This can be built directly into a product or added on from a third party DSAR tool.
Real world example
A data subject is using an online service that does travel bookings. After receiving many recommendations from the company about future trips, the user decides they would like to know what other information the company has stored on them. They request this data. The organization in question has been using analytics to predict and provide these travel recommendations. The organization locates the user in their databases, pulls data from the user’s file in various formats, converts this information into a readable format.
Within 30 days, the organization responds to the user with a CSV (comma separated values) file containing all of their provided information in addition to a set of travel preferences the company has ascribed to that user by automation.