PRIVACY PROGRAM MANAGEMENT

ONLINE TRAINING TRANSCRIPT

MODULE 9: PRIVACY OPERATIONAL LIFE CYCLE—
RESPOND: DATA SUBJECT RIGHTS

Introduction

Module introduction

Data subjects are the individuals about whom information is being processed, such as the patient at a
medical facility, the employee of a company or the customer of a retail store.

Across jurisdictions, data subjects typically have certain rights, including the right to know how their data
will be used, and the right to opt out of certain processing activities.

Of course, it is vital to adhere to laws and regulations around data subject rights. The practices outlined in
this module can help your organization clarify its privacy-related communications and enable data subjects
to make informed choices regarding how they share their information with you.

Privacy notice

Learning objectives

• Recognize the functions of an outward-facing privacy notice

• Outline common elements of a privacy notice

• Review design solutions to privacy notice challenges

• Explore key communication considerations for providing a privacy notice

Privacy notice: Definition

A privacy notice is the privacy information that you make available or provide to individuals when you
collect information about them.

As described in module 6, privacy notices differ from privacy policies. Privacy notices are generally
external communications to customers while privacy policies are generally internal documents addressed
to employees. Both describe how personal information is going to be handled.

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 2

Can you identify which of the following is not a purpose of a privacy notice?

• Complying with laws, regulations and standards

• Processing personal information fairly and transparently
• Making information about how personal information is used accessible to individuals
• Meeting individuals’ expectations
• *Making an organization exempt from privacy-related lawsuits
• Building trust and confidence

A privacy notice can help an organization comply with applicable laws, but it does not provide blanket
protection from privacy-related litigation. Visit the IAPP Resource Center to explore privacy notice tools
and guidance.

Privacy notice: Common elements

Your organization’s privacy notice will typically explain the following:

• Who are you?

• What information are you collecting?
• How are you going to use the information?
• With whom will you share the information?

Include whether information is collected directly or indirectly, and its likely future uses.

Be sure there is a method to gain and record consent, if required. Consent should only be collected when
it is necessary, as there are other conditions of processing that may be easier to rely on.

Privacy notice: Design challenges and solutions

Privacy notices should be living documents, maintained in a life cycle that includes designing and
developing, testing, releasing, and reviewing and updating where necessary.

Several design strategies can help keep privacy notices accessible to your customers or external
stakeholders. Click on each solution to learn more.

Layered approach: when the notice has a lot of information

• Short notice with key information

• Links that expand topics or one link that leads to longer privacy notice
• Website search leads to the full notice

Just-in-time notice: when you do not have a lot of space for communicating the notice

• Type of layered approach

• Notice appears at time of data input
• More information available through link or by hovering
• Alerts/notifications on smart phone

Icons/symbols: when you need to provide clarity

• Type of layered approach

• Indicators of types of processing

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 3

• Hyperlinks or hover states may provide more information

• Clear design
• Icon/symbol key

Privacy dashboard: when you need to provide accessibility and a high-level overview

• Summary of privacy-related information and metrics

• Easy to access and navigate

Some laws require organizations to use specific strategies for providing privacy notices in certain
situations. For example, the CPRA requires a just-in-time notice if a business “collects personal
information from a consumer’s mobile device for a purpose that the consumer would not reasonably
expect.”

From an expert: Privacy notices

Julia Palmer, CIPP/E, CIPM, Data Protection Officer, Shawbrook Bank Limited

So, your notice has really got to cover, you know, what’s the actual personal data that we hold about you.
What are we doing with your data and how; what rights have you got, for how that data is processed by
us? And also we, obviously in the UK, we also include, you know, what’s the lawful basis for us to be able
to do that in the first place. So, it’s very much about us communicating to the individual, to the data
subject whose information it is that we’re handling. We want to tell you as much as possible about what
we are doing with your data and why, so that you can clearly understand and make a decision whether or
not, you know, you are actually happy to share your data with us.

We want to always be sort of transparent and if you’re going to use our products or services or whatever
it is that we are handling that data for, we want to make sure that it’s absolutely clear and there’s no
misunderstanding. There shouldn’t ever be any surprises. Everything that goes into your privacy notice
should be things that cover the areas that maybe all people might not expect you to do. So, if somebody
later, perhaps, submits a data subject access request, for example, and they realize that there’s data that
they didn’t realize that you had—that should not happen. It should all be upfront and available in the
privacy notice and that’s the purpose of it.

Everything that’s contained in your privacy notice you should be able to demonstrate in your policy— “This
is how we handle this type of data.” So, I guess the overlap comes into the nature of the data that’s being
processed. So, we tell people what data we are processing of them, and in our policy, we’ll also, you
know, cover that point as well.

I think there’s limited similarities in the detail, because I think a lot of it in the policy wouldn’t come across
quite the same way because we’re not talking to people in the same, from the same perspective. So, if I
give an example—in my notice, I would tell people what their rights are, whereas in my policy, I’m going
to cover what rights people have available to them, but I’ll also want to demonstrate how we meet those
rights. So, it’s not just about, “These are the rights you have,” but this is how you’re going to deliver
those rights to those individuals.

So, the frequency of review that, certainly, my company uses for all policies is determined by the level of
governance that we believe that policy might require. So, certainly for a privacy policy, we would expect
that to be approved at board level and so we have a kind of formal governance structure by which that
policy will be formally reviewed annually, at least annually. But, clearly, if there’s any change to legislation
in between that time, that’s another trigger for which a review would happen.

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 4

With the privacy notice, it’s, we can be a little bit more flexible to a certain extent, but we don’t want to
be sort of constantly making changes to our notice. So, we have a formal sort of review process annually
but clearly there may be changes during the year that are required to be brought into the notice. We try
to make sure, or certainly try to make sure, that they’re all done at the same time. So, trying to
coordinate it so that we’re only doing, you know, sort of like a once-a-year update to the notice. But there
may be circumstances where it’s actually, “This is an important change, we need to make sure that it’s in
there.” Our aim is transparency in telling people what we’re doing. We don’t, it wouldn’t be the right thing
to do to tell them six months after we’ve started doing it.

So, it’s a balance between not wanting to update it too often but making sure that you are being
transparent, and you are telling people, so you are telling them when change happens. I mean, the other
way potentially of getting around that frequency of change is if the change impacts just maybe one
particular area, is going for that layered approach or that just-in-time approach. So, you make your
change, perhaps it’s on an online form that people are filling in, and you want to make an amendment
there—so, that’s the right place to make it without having to go through that full privacy notice review.
So, I think it is very much a balance between being transparent and getting information out there without
wanting to overload people with multiple notice changes every time there’s something that needs
updating.

So, with the privacy notice, it’s quite important, again, when you’re thinking about who your audience is
and how they’re interacting with you, is thinking about how you’re going to put that notice in front of
them. A privacy notice can end up being a very, very long document if you’re going to try to get across
everything that one document. And so, again, it comes back to trying to think about—at this point in time,
when I’m undertaking this activity, whether it be filling in a form or going online to make a purchase—
what is the information I need to know about the information that I’m providing to you. And that’s really
what you need to get across, at that point in time, with just-in-time notices.

Summary

• A privacy notice is the privacy information that you make available or provide to individuals when
you collect information about them.
• Privacy notices have multiple purposes, including compliance; processing personal information
fairly and transparently; making information accessible regarding how personal information is used;
meeting individuals’ expectations; and building trust and confidence.
• A privacy notice typically explains:
o Who the organization is
o What information it collects
o How it will use the information
o With whom it will share the information
o Whether information is collected directly or indirectly
o What are likely future uses of the information
• Strategies to keep privacy notices accessible to customers or external stakeholders include using a
layered approach (short notice with key information and links); just-in-time notice (appears at the
time of data input and provides additional information); icons/symbols (shows different processing
types using a clear design and icon/symbol key); and privacy dashboards (easily navigated
summary of privacy information and metrics).

Consent

Learning objectives

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 5

• Explore the concept of consent and how it relates to privacy notices

• Define key considerations for opt-in vs. opt-out

• Examine methods for tailoring privacy notices to children and ensuring parental consent when required

• Analyze procedural strategies for responding to individuals’ requests for withdrawal of consent, access
and rectification

Choice and consent

Although providing a privacy notice is not the same as soliciting consent, privacy notices are often tied to
consent options.

If consent is required by law or regulation, there must be a method to get and record it. Under the GDPR,
electronic consent requires an affirmative motion from the individual. A pre-ticked box is not sufficient to
imply consent; according to the Article 29 Working Party, a clear action, such as swiping a bar on a
screen, waving in front of a smart camera, or turning a smartphone around may be sufficient.

Individuals who do not have a choice about the processing of their personal information should not be led
to believe that they do. Individuals who do have a choice must be given the ability to exercise that
choice—and they must be able to revoke that decision. For example, an app on a social media site that
collects personal information based on consent for one purpose, such as a personality quiz, may not also
use that personal information for a different purpose for which consent was not given, such as targeted
advertising. Individuals may decide they no longer want the app to continue processing their personal
information, so there should be a mechanism for them to withdraw consent.

In addition to a record of consent, organizations should keep documentation of the privacy notice provided
at the time of consent. Consents should be regularly reviewed to determine if a refresh is necessary (if,
for example, you have made changes to your processing operations or if laws, regulations or standards
have changed). It is also important to note that while consent is required by law in many instances, it is
not always required and may not be the only reliable basis for processing personal information.

Opt-in versus opt-out

A data subject can give their consent to processing by opting in or opting out—two central concepts of
choice.

Opting in means an individual makes an active, affirmative indication of choice—for example, by checking
a box to signal a desire to share information with third parties. This choice should be clear and easy to
execute.

Opting out means that an individual’s lack of action implies a choice—for example, unless an individual
checks or unchecks a box, their information will be shared with third parties.

If an organization will perform different types of processing, individuals may be given the option to agree
to the activities separately. For example, they might be asked to check “yes” or “no” beside various
methods for direct marketing, such as email, phone and so on.

How might forcing someone to opt out look different than allowing them to opt in? Review each example
below and click on which one represents opting in.

Click here to subscribe to marketing emails and other content

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 6

Would you like to receive additional information?

✓ Yes
o No

Click here to unsubscribe.

Please add me to your mailing list!

The correct example of opting in is shown here. The other examples represent instances of opting out.

Privacy notice for children and consent

There are several considerations for tailoring privacy notices to children and ensuring parental consent for
children under the age threshold. Click each tab to learn more.

Compliance

• The U.S. Children’s Online Privacy Protection Act (COPPA) and the GDPR set out specific rules
regarding providing privacy notices to children and obtaining consent for processing their personal
information
• Children’s information may be considered sensitive information, which warrants heightened
protections

Language and delivery

• Generally, privacy notices geared toward children should be presented in ways children can
understand
• For example, the Office of the Privacy Commissioner of Canada states, “Organizations should
implement innovative ways of presenting privacy information to children and youth that take into
account their cognitive and emotional development and life experience.”

Age

• Laws and regulations may establish an age threshold for consent

• In practice, a website may ask for the user to enter their age before accessing content, or a web
application for children may require consent via a parent’s email account before collecting and
processing the personal information of a child under 13 years old
• The age threshold may vary depending on jurisdiction

Purpose of processing

• The purpose of processing may trigger certain rules—for example, organizations may be prohibited
from tracking children for online behavioral advertising purposes

From an expert: Responding to withdrawals of consent and data access requests

Antonis Patrikios, CIPP/E, CIPM, FIP, Partner, Dentons, IAPP Faculty

So, we said when consent is freely given, the implication is that if it’s freely given, it can also be freely
revocable. So, what we need to be doing in addition to the other things we discussed in relation to

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 7

consent, is, also, have a process and policy in place for enabling people to withdraw their consents. Now,
we’re gradually moving into exercise of data subject rights. And with all the rights that we’re going to
consider, there are basically two or three high-level elements that you need to think about across all
rights.

You need to have a policy. Here’s when we’re going to accept a withdrawal of consent. Here’s how we’re
going to deal with a data subject access request. Here’s how we’re going to deal with data portability
requests. You need a policy. Then you need a process that enables the policy to be carried out. So, there’s
people who are trained whose responsibility is to deal with those things. And what’s the third piece? You
need to have a policy. You need a process. And what else is a pre-requisite for you to be able to comply
with these requests? Your technology needs to support it. So, your technology needs to be able, rather,
you need to be able to use your technology to find every consent or every data record that we keep about
a person. You need to be able to isolate it, amend it, extract it, and potentially deliver it. And that may
sound very easy to do, but, actually, for some of the big organizations that deal with a lot of legacy
systems, even having a single view of what data you hold about people can be very, very difficult, indeed.

So, looking at how you would revoke a consent, you could … and that’s the other thing you need to
remember about people exercising their rights; there’s no formal way of doing it; they don’t have to send
you an email that says, revocation of consent or data subject rights request or anything like that. It could
be as simple as someone picking up the phone to your customer services and saying, “I want to withdraw
my consent.”

So, the other implication is, we have a policy, we have a process, our technology supports it, we also need
to be aware that the touchpoints which may receive these requests know what to do with it and,
therefore, also train them. So, that’s what you have to do in terms of consent. And to help us sort of
digest this a little bit, the typical practice is, we make it extremely easy for people to give us their
consent, then don’t make it equally easy for them to revoke it. That also changed [under the GDPR].
Withdrawing your consent must be at least as easy as giving it. And it can happen at any time. It can be
at any part of the business that sort of liaises with consumers. And it should be as easy as giving it. And
we should keep a record of that withdrawal. The other consequence should be, there shouldn’t be a
penalty for withdrawing consent. So, as we said when we were giving it, we can’t make access for a
website or participation to a contract conditional on obtaining consent for something that’s not strictly
necessary for the contract. Equally, for people who withdraw consent, you can’t … and say, right, but we
can’t give you access to our website anymore or whatever, unless, of course, it’s necessary for what
you’re doing, in which case you shouldn’t have relied on consent in the first place because it can’t be
necessary for the contract, or you’d have another legitimate ground. Has anyone ever received a consent
withdrawal request? Good, I’ve never seen it. I’ve never seen someone say, “Yeah, I gave you my consent
two years ago, now I’m taking it back.” But we’ll see more and more of this under the GDPR.

So, subject access requests, a couple of things. One, it’s the most widely exercised right in the EU, second
only perhaps to the opt-out of marketing. Number two, it can be a big pain in the butt. It’s unbelievable
how much time and effort can go into dealing with a single subject access request, even from an
employee. Recent case, breach of the client, 120K legal fees for helping them look through documents and
decide what they would disclose or not. With 100 … Sometimes we charge 120K for some small clients to
do their whole GDPR-readiness, just to put things in perspective, so it can be a pain. It takes a lot of time.
It sucks resources. And there’s no easy way out of it. So, you have to deal with those requests. And you
have to disclose information in principle. Third, and that’s … to whoever was saying yesterday about how
we expect to more complaints and more litigation around data protection, in many cases, if not most of
the cases, subject access requests are a herald for something potential. There’s an employment dispute
brewing. There’s a complaint brewing. Someone … “Oh, I’ve had it with this bank, and they told me that
they want to take … why don’t I file a SAR and ask them, what data do you have about me and why, and I
can pass this to my solicitor, and he can file a claim.” So, they can be tricky. I think this is going to be a
massive risk area. I already see it being … and you need to be prepared for that.

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 8

Responding to withdrawals of consent (1)

Choice and control should be offered to individuals even after the opt-in stage. If an organization relies on
consent to process personal information, it may want to—or be required to—state in the privacy notice
that the individual can withdraw consent.

An organization’s procedures around withdrawal of consent may address:

• When and how consent may be withdrawn

• Rules for communicating with individuals
• Methods for withdrawing consent
• Documentation of requests and actions taken

The process for withdrawing consent should be publicized—via privacy notices, consent requests, and so
on—to inform individuals on the steps they should take.

Responding to withdrawals of consent (2)

Laws, regulations and best practices may call for enabling individuals to withdraw consent in certain ways.
Uncheck each box to view possible requirements.

Via more than one option

Without penalty

As easily as it was to give

At any time

As soon as possible

In the same method used to give consent

Via anytime opt-out or opt-out by reply

Responding to data subject access and rectification requests (1)

Under certain circumstances, laws and regulations may require an organization to provide individuals with
access to their personal information—and information about the processing performed on it—upon
request, and the ability to correct their information. The information must be provided:

• Completely
• In a timely manner
• Without charge to the individual
• In the same form that the request was made

There may be limits to this right, such as protections for the rights and freedoms of others.

Access and rectification under the GDPR

Click to reveal

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 9

Access and rectification are among the most common areas of privacy program management that
trigger audits from EU authorities if they receive complaints. The GDPR says the rights to access
and rectification are fundamental rights. Under the Data Protection Directive (predecessor of the
GDPR), supervisory authorities and courts saw numerous instances of failures by organizations to
comply with this right.

Responding to data subject access and rectification requests (2)

A privacy team should work with legal to establish policies and procedures that align with legal
requirements.

Have a documented process and follow it. The process may be the first thing a regulator asks about in the
event of an issue.

Click on the images to reveal potential procedural considerations.

Allocation of responsibilities (e.g., customer service staff fielding requests)

Authentication of the requester (e.g., must provide birth date and answer to secret question)

Recording/documenting requests and actions

Mechanism(s) for receiving, recording and fulfilling requests (e.g., online form)

Types of data that may not be disclosed (e.g., others’ personal information)

Time limits for responding (e.g., 30 days) and extensions

Special circumstances (e.g., court order)

Various details about the processing that must be provided upon request (e.g., third parties that have
received the information)

Providing the most up-to-date information

Making corrections across all systems and with third parties

Procedures when the individual and organization do not agree on an amendment request

Summary

• Privacy notices inform individuals of an organization’s privacy practices, but do not solicit or
imply consent. Consent is required by law in many, but not all, cases and may not be the only
reliable basis for processing personal information.
• Data subjects can consent to processing by opting in or opting out. Opting in involves an active,
affirmative indication, whereas with opting out, a lack of action implies a choice.
• An organization’s procedures around withdrawal of consent may address when and how consent
may be withdrawn, rules for communicating with individuals, methods for withdrawing consent, and
documentation of requests and actions taken.
• There are several areas to consider when tailoring privacy notices to children and ensuring
parental consent for children under the age threshold:

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 10

o Compliance: some laws specify rules for providing privacy notice to children and obtaining
parental consent
o Language and delivery: present privacy in ways children can understand
o Age: laws and regulations may establish an age threshold for consent
o Purpose of processing: some purposes may trigger certain rules, like prohibiting the tracking
of children for behavioral advertising
• Laws and regulations may require an organization to allow individuals the ability to access and
correct their personal information—and information about its processing—upon request.
Information must be provided completely, in a timely manner, without charge, and in the same form
the request was made. There may be limits to this right, like protections for the rights and freedoms of
others.

Scenario 4

Marketing AtlantiPulse services (1)

Now that the acquisition is complete, One Earth Medical is moving forward with its plan to market
AtlantiPulse’s service and systems to companies inside and outside the U.S.

One Earth maintains a corporate-wide data warehouse that pulls data from its divisions, including
AtlantiPulse, and aggregates it for various reporting and data analytics functions. This data is now being
used by the marketing department to generate targeted direct marketing campaigns—without informing
customers.

Mary researches the issue and writes up this memo.

Unfortunately, the contracts that AtlantiPulse customers agreed to before the acquisition do not address
the secondary use of this data—One Earth using it for marketing purposes. All AtlantiPulse contracts were
updated to One Earth global standards when AtlantiPulse was acquired, but it is not clear whether One
Earth contracts allow customers to opt out of these secondary types of data usage.

Further, the contract language around customer data and opting out in One Earth’s standard contracts is
unclear.

I will need to resolve these issues before One Earth can move forward with reselling AtlantiPulse services
and systems to companies, since inconsistencies may cause confusion and potential harm.

Marketing AtlantiPulse services (2)

Before One Earth can move forward with reselling AtlantiPulse services and systems to new companies,
Mary needs to focus on the areas shown here.

Take a moment to consider what Mary must do to appropriately address each area; then click each square
for the answer.

Opting out: Provide a mechanism for customers to opt out of the secondary use of data. Some
laws/regulations may instead require customers to opt into certain processing of their personal
information.

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 11

Legal and compliance: Consult with One Earth’s legal and compliance personnel to identify and resolve
any potential legal consequences or issues caused by the unauthorized data usage.

IT: Work with IT to ensure that data from opted-out customers is not pulled into the data warehouse and
that any tainted data in the corporate data warehouse is removed.

Privacy notices: Make sure all privacy notices reflect that use of customer data is for marketing purposes
as well as operational ones.

Contracts: Update all contracts, including those with vendors, to reflect One Earth’s intention to use the
data in other ways.

Communication: Communicate the issue and resolution to internal stakeholders (executives, IT,
marketing) and external stakeholders (shareholders, media, regulators).

Marketing: Make sure that marketing and other functional areas have appropriate policies and procedures
designed with respect to privacy.

Country-specific rights

Learning objectives

• Review examples of different countries’ requirements for responding to data subject rights

• Analyze procedural strategies for responding to requests that exercise EU-specific data subject rights

• Explore what organizations must do to comply with requests related to the rights of data portability,
objection and erasure under the GDPR

Data subject rights across the world

Many countries around the world have data privacy laws stipulating how an organization in their
jurisdiction must respond to data subject requests. Given the requirements of various global privacy laws,
it is critical for global organizations to have robust policies related to data subject rights in place and be
able to respond to them in a timely manner.

Click the markers on the map for examples of countries with laws that govern the handling of data subject
requests. The following slides will discuss EU-specific rights in more detail.

Australia: Australian privacy law establishes a consumer right to access and correct the personal
information an organization holds about them. Organizations may charge a fee for responding to data
subject requests but may not use the charge to discourage data subjects from making requests.
Organizations must develop procedures for fielding and responding to requests within 30 days from
receiving them.

Brazil: The General Data Protection Law (Lei Geral de Proteção de Dados or LGPD) was largely inspired by
the GDPR. It gives data subjects the right to access, rectify, cancel or exclude their personal data. Further,
data subjects may oppose the processing of their personal data and are provided the right to data
portability. One way the LGPD differs from the GDPR is the addition of the data subject’s right to have
their data anonymized in certain circumstances.

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 12

Canada: The Personal Information Protection and Electronic Documents Act (PIPEDA) provides data
subjects with a general right to access their personal information held by businesses subject to it. In
addition, PIPEDA provides data subjects with the right to correct their personal information.

China: The Personal Information Protection Law (PIPL), enacted in November 2021, aims to “protect the
rights and interests of personal information, regulate personal information processing activities, and
promote the rational use of personal information.” While the PIPL mostly aligns with the GDPR with
respect to personal information rights, it is not as strictly defined—for example, where certain restrictions
or exemptions may apply or what constitutes a timely reply to data subject requests. The PIPL provides
individuals the right to bring lawsuits against processing entities who reject requests to exercise their
rights.

EU: The EU’s GDPR has been in effect since 2018 and has become a global standard for data protection. It
provides rights for data subjects to withdraw consent for processing, request a copy of all their data,
request the ability to move their data to a different organization, request to delete their data and object to
automated decision-making processes.

South Africa: The Protection of Personal Information Act (POPIA) aligns South Africa with global data
protection best practices. It provides data subjects several rights, such as the right to: access and correct
their personal information, object to the processing of their personal information for direct marketing
purposes, and object to automated decision-making processes in certain circumstances.

U.S.: The U.S. has no comprehensive federal data privacy law yet, but several state privacy laws, as well
as industry-specific regulations, have requirements regarding data subject rights. Comprehensive state
privacy laws include California’s CPRA, Virginia’s CDPA, and Colorado’s CPA (which takes effect July 1,
2023). These state laws have similar data subject rights, including the right to access, correct, and delete
personal data, and opt out of the sale and certain uses of personal data.

EU-specific rights

EU-specific data subject rights will affect organizations within and outside the EU, given the broad scope of
the GDPR.

For example, a data software company in the U.S. that is offering its product in the EU must build
portability capabilities into its product development. If the organization is subject to the GDPR, the privacy
team should work with legal to determine all the circumstances that may allow for the exercise of this
right, as well as exceptions.

The GDPR has specific data subject rights that organizations subject to the GDPR should incorporate into
internal policies and procedures. These include data portability, erasure and the right to be forgotten,
restriction of processing, the right to object to processing of one’s personal data, and the right “not to be
subject to a decision based solely on automated processing, including profiling, which produces legal
effects ... or similarly significant effects.”

EU-specific rights: Facilitating data portability

Data portability is a right that applies only in some circumstances—processing based on consent or
contractual necessity.

It means that personal data must be interoperable—transferrable from one organization to the individual,
another controller or a third party designated by the individual in a format that is, according to Article 20
of the GDPR, “structured, commonly used and machine-readable,” and without hindrance. A privacy team

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 13

should work with legal to determine when this right applies and, if so, work with IT to ensure this
capability is built into technical systems.

Potential difficulties may arise from storing data in proprietary formats. Organizations that use their own
internal data processing software may have difficulty transferring the personal data in an acceptable
format.

EU-specific rights: Erasure and the right to be forgotten

Under the GDPR, individuals have the right to request erasure of their personal data under specific
circumstances—for example, if they withdraw their consent.

If the organization is subject to the GDPR or other laws and regulations regarding erasure, the privacy
team should work with legal to determine all the circumstances that may allow for the exercise of this
right.

Erasure entails both:

• Ceasing processing
• Deleting data

Policies and procedures can help ensure these actions take place across all systems.

Erasure has been broadened to include the right to be forgotten, which applies when personal data has
been made public by the organization. The data controller is responsible for taking steps to ensure the
personal data—including links, copies and replications—is erased by third parties.

Right to be forgotten challenges

Consider the potential challenges the right to be forgotten may pose for organizations. How could your
organization address these issues?

Click on “Submit” to compare your challenges with Mary’s.

Mary’s Challenges

• Ensuring third-party compliance

• Some data may be needed for other reasons (legal, financial) and cannot be removed
• Data propagated in multiple places
• Ensuring data is removed from backup systems and/or archives

EU-specific rights: Right to object

In accordance with Article 21(1) of the GDPR, whenever a controller justifies the data processing based on
its legitimate interests, data subjects can object to such processing. With a valid objection, the controller
is no longer allowed to process the data subject’s personal data unless it can demonstrate compelling,
legitimate grounds for the processing. Those grounds must be sufficiently compelling to override the
interests, rights and freedoms of the data subject, such as to establish, exercise or defend against legal
claims.

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 14

Under the Directive, data subjects already had the right to object to the processing of personal data for
the purposes of direct marketing. Under the GDPR, this now includes profiling, and, in addition, the data
subject must be explicitly, clearly and separately notified of the right to object.

Summary

• Many countries have data privacy laws stipulating how organizations in their jurisdiction must
respond to data subject requests. Given the requirements of various global privacy laws, it is
critical for organizations to have robust policies related to data subject rights and be able to
respond in a timely manner.
• EU-specific data subject rights affect organizations within and outside the EU, given the broad
scope of the GDPR.
• Data portability is a right under the GDPR that applies in cases of processing based on consent or
contractual necessity. It means that personal data must be transferrable from an organization
in a format that is structured, commonly used and machine-readable.
• Under the GDPR, individuals have the right to request erasure of their personal data in certain
circumstances—for example, if they withdraw consent.
• Erasure entails both ceasing processing and deleting data. Controllers must also ensure third
parties erase personal data.
• Erasure has been broadened to include the right to be forgotten, which applies when personal
data has been made public by the organization.

Handling complaints

Learning objective

• Explore the goals of privacy-related complaint-handling procedures

Handling complaints: Procedural considerations

Complaints about how your organization manages data subject rights may come from both internal
sources, such as employees, as well as external sources, such as customers, consumers, patients, the
public, regulators and vendors. Effective handling of complaints at the earliest opportunity will enhance
the complainant’s view of the organization and allow prompt improvement to practices. Poorly managed
complaints may escalate and lead to civil claims, complaints to regulators or significant expense, even if
litigation and enforcement action is avoided.

Internal procedures should define and enable mechanisms for:

• Differentiating between sources and types of complaints

• Designating proper recipients
• Implementing a centralized intake process
• Tracking the process
• Conducting file reviews
• Reporting and documenting resolutions
• Redress

Departments and roles designated with receiving complaints should be easy to reach, whether through
dedicated phone numbers, email addresses or physical addresses.

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 15

From an expert: Handling complaints

Chris Pahl, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP, Cybersecurity Governance Manager

From a complaint perspective though, is really getting your hands on all the complaints that you’re
getting. So, one of the things that would be beneficial is to understand where the complaints could come
into the organization. Would they be lodged by your employee base, or retiree base, or union base? Would
they be lodged by your customer base? Where would those come in? Do you have a call center? Do you
have web forms? Do you have people that maybe are out in the field? Maybe they are with governmental
agencies. Maybe they’re getting feedback from those two—working with lawmakers. A lot of companies
have relationships with lawmakers. The part is … the difficult part is how do you funnel that now all to the
privacy organization? And what does the privacy organization do with it? Because the more information
you have and you don’t do anything with it, that’s a detriment to the organization.

I’ve always been taught—and there are books out there too—that complaint is a gift. And I think that was
difficult for me to understand when I was a lot younger. I used to look at complaints and just go, oh these
people are just mad or upset or just don’t understand what we’re doing, and … too bad for them. As I’ve
matured, I’ve understood that there’s trends out there, and you need to look at the trend. You may see an
issue today and go, wow, this is a one-off issue, that’s unfortunate—let’s deal with the issue. But then you
start seeing this pop up maybe three, four months or a year later, and if you have a good database that
you can now identify and do mapping or heat maps, then you can start seeing where the issues are
cropping up and hopefully get in front of that as well too.

I also find that if you can quantify and do trend lines for senior leaders on where your complaints are
going, that will usually get the attention you need for the organization to start saying, “Ah, we’ve got a
problem over here, let’s look into this now.” And that actually creates that senior leadership kind of
accountability that flows through the organization and says, “Oh, well our president wants to understand
why are we seeing an uptick in this area.” And unless you are able to quantify, do some data mining out
there as well too, you would never get to that state. So … the complaints are actually, while painful, they
are helpful. I mean, you’ve got to look at that through a more helpful lens versus just a painful lens.

Tackling complaints can be difficult as well, but also being able to quantify and to going to the right owner.
This kind of goes back to, you know, when we look at ownership about who owns certain things, that’s
another whole work stream and conversation we could have. But from this context, is working with the
individuals who may own marketing or text messaging or whatever form you’re seeing that in, then
coming to them and having a conversation and saying, “Oh, did you change a process recently? Because
there’s this uptick we’re seeing here, it’s really unusual, because you usually do a really great job. Or was
there a campaign that was just issued, or did we just send out benefits letters to our employees?” And
really trying to couch it not in an accusatory manner such as, “You have a problem,” because the person
automatically is going to come … not be very responsive.

But acknowledge that this is really unusual for your organization. What just occurred? And having that
conversation, because they’re going to be open and say, oh yeah, we just had this campaign we mailed
out, or we sent out emails to a million customers or all of our retiree base. Well, obviously, we know
statistically you can quantify that too … I always like to do that because when we see an uptick in
complaints your bar chart, or your trendline, will automatically go up. And … company officers and
managers will go, “What’s going on here? That’s really horrible.” I also like to quantify and try to put into
context—well you just had this massive campaign that just went out, and yeah, we had ten complaints.
Not good. But statistically it’s really low, but we’re going to look into this as well too. And so, I always like
to offset that so that I’m not always running around … being kind of Chicken Little throughout the
organization and being an alarmist with individuals, but also saying, “Hmm, let’s work on this. What
happened with these ten people? Or these 100 people? And how can we improve going forward?” And as
you work through those, I think the other … closing the door is reporting back in your metrics if you’re
quantifying complaints, and saying, “Yes, we had an uptick here, this is the issue we found, this is our
remediation.”

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 16

Summary

• Internal procedures for handling privacy-related complaints should define and enable
mechanisms for:
o Differentiating between sources and types of complaints
o Designating proper recipients
o Implementing a centralized intake process
o Tracking the process
o Reporting and documenting resolutions
o Redress
• Departments and roles designated with receiving complaints should be easy to reach through
dedicated phone numbers, email addresses and/or physical addresses.

Quiz

1. A privacy notice typically explains what? Select all that apply.

How personal information will be destroyed

How personal information will be stored

With whom personal information will be shared

What information will be collected

2. The chief privacy officer of a technology company has revised its privacy notice for users who download
the company’s applications onto their smartphones. The notice needs to be easily accessible to users so
they can refer to it when desired. What is an appropriate solution to this design challenge?

Layered approach

Privacy dashboard

Icons/symbols

Just-in-time notice

3. What may an organization’s procedures address regarding requests for withdrawal of consent? Select
all that apply.

When and how consent may be withdrawn

Rules for communicating with individuals

Methods for withdrawing consent

Documentation of requests and actions taken

4. True or false? Upon request from an individual, an organization must always provide access to their
personal information and information about the processing performed upon it.

True

False

5. True or false? Under the EU’s General Data Protection Regulation, erasure entails not only deleting
personal data but also informing regulators once the personal data has been deleted.

True

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 17

False

6. True or false? Internal procedures for handling privacy-related complaints should implement a
centralized intake process.

True

False

Closing slide

You have completed Module 9: Privacy Operational Life Cycle—Respond: Data Subject Rights.

Quiz answers

1. With whom personal information will be shared; what information will be collected
2. Privacy dashboard
3. All responses are correct
4. False
5. False
6. True

*Quiz questions are intended to help reinforce key topics covered in the module. They are not meant to
represent actual certification exam questions.

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.