GDPR data subject rights

Start adding items to your reading lists:
Save this item to:
This item has been saved to your reading list.


Privacy rules in the European Union’s (EU) General Data Protection Regulation (GDPR) will have many organizations worldwide on the receiving end of data subject rights (DSR) requests when the regulation goes into effect next year. Responding to such requests -- which might deal, for instance, with data access, deletion and portability -- could require significant effort. To avoid being caught flat-footed, organizations need to proactively build an effective process for managing and addressing these requests. On the surface that might seem vexing, but here are five critical factors for success.

Five critical success factors

  1. Operationalizing a process for DSR requests will mitigate one of the most significant GDPR risks for companies processing EU personal data.
  2. All organizations will need to determine their degree of interaction with data subjects as well as their unique mix of people, processes and technology.
  3. A privacy function is fundamental for clear ownership of the DSR program and process—from receipt of requests through the conclusion.
  4. Numerous challenges and considerations need to be addressed to effectively handle DSR requests.
  5. The right level of technology to support  people and processes must also be determined.

How to be prepared for data subject rights

While GDPR only applies to EU data subjects and their personal data, B2B and B2C organizations may want to consider a broader implementation applicable to all data subjects in anticipation of other country-specific legislation that may follow suit. There is no perfect mix of people, processes, and technology to support DSR requests. The process-related considerations may require the greatest time and attention. Consider what volume of requests may be received; leverage or extend existing functionality, where feasible; and keep the technology and process simple, with a focus on tracking all activities and contacts that occur to receive, process, possibly fulfill, and then close DSR requests in a reportable and auditable manner.

Related PwC services

Contact us

Jay Cline

US Privacy Leader, Principal, PwC US

Alison Brunelle

Director, Cybersecurity and Privacy, PwC US

Jo Roberts

Manager, Cybersecurity and Privacy, PwC US

Follow us