Compliance And Accountability
Expert-defined terms from the Professional Certificate in GDPR and AI Data Privacy Compliance course at London School of Planning and Management. Free to read, free to share, paired with a professional course.
Accountability – The principle that organisations must demonstrate compli… #
Related terms: Data protection officer, record‑keeping. Explanation: Accountability requires a documented governance framework, regular audits, and clear policies that show how obligations are met. Example: A multinational retailer maintains a compliance dashboard that records every data‑processing activity, the legal basis used, and the outcomes of internal audits. Practical application: Implement a “privacy by design” lifecycle, assign a DPO, and produce annual compliance reports. Challenges: Balancing comprehensive documentation with operational efficiency; ensuring cross‑border consistency when subsidiaries follow different local interpretations.
Algorithmic Bias – Systematic and unfair discrimination that emerges from… #
Related terms: fairness, model auditing. Explanation: When an algorithm produces outcomes that disadvantage protected groups, it may breach GDPR’s prohibition on discriminatory automated decision‑making. Example: An AI‑driven credit scoring system assigns lower risk scores to applicants from certain postcode areas, reflecting historical lending bias. Practical application: Conduct bias impact assessments, use diverse datasets, and implement corrective post‑processing techniques. Challenges: Identifying hidden biases, quantifying fairness, and reconciling technical mitigation with legal standards.
Anonymization – The irreversible process of removing personal identifiers… #
Related terms: pseudonymization, de‑identification. Explanation: Proper anonymization removes GDPR scope, but the technique must be robust against re‑identification attacks. Example: A health research institute aggregates patient data, removes all direct identifiers, and applies differential privacy noise before publishing results. Practical application: Use statistical disclosure controls, regularly test re‑identification risk, and document the methodology. Challenges: Determining the threshold of “irreversibility,” handling big data environments where linkage attacks are easier, and maintaining utility for analysis.
Articulation of Legal Basis – The process of selecting and recording the… #
Related terms: Article 6, legitimate interest. Explanation: Each processing operation must be matched to a lawful basis, such as consent, contract performance, or public task, and this choice must be documented. Example: An e‑commerce site processes customer data for order fulfilment under “contract performance” (Article 6(1)(b)) and for marketing under “consent” (Article 6(1)(a)). Practical application: Create a matrix linking processing activities to legal bases, and embed it in the DPIA template. Challenges: Avoiding “basis stacking,” ensuring that consent is freely given and specific, and revisiting bases when business models evolve.
Artificial Intelligence (AI) Governance – The set of policies, procedures… #
Related terms: risk management, ethical AI. Explanation: AI governance aligns technical controls with legal obligations, such as GDPR’s data‑subject rights and the upcoming AI Act. Example: A financial services firm establishes an AI ethics board that reviews model transparency, bias, and compliance before release. Practical application: Integrate AI risk registers into existing GRC platforms, and require model documentation for each production system. Challenges: Keeping governance frameworks agile enough for rapid AI innovation while satisfying rigorous regulatory scrutiny.
Article 5 – Principles Relating to Processing – The core GDPR principles… #
Related terms: purpose limitation, data minimisation. Explanation: The six principles—lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity/confidentiality—form the foundation of compliance. Example: A marketing department uses a customer database only for the specific campaign for which consent was obtained, discarding the data after the campaign ends. Practical application: Conduct periodic “principle‑checks” against data inventories, and embed controls into ERP systems to enforce purpose tags. Challenges: Interpreting vague concepts such as “fairness” across different jurisdictions, and reconciling data‑minimisation with analytics needs.
Article 6 – Lawful Basis for Processing – The GDPR provision that enumera… #
Related terms: consent, legitimate interest assessment. Explanation: Each processing activity must be anchored to one of the bases; the choice influences the rights of data subjects and the organisation’s obligations. Example: A SaaS provider processes user logs for security monitoring under “legitimate interest” (Article 6(1)(f)). Practical application: Deploy a decision‑tree tool that guides staff to the correct legal basis during onboarding of new projects. Challenges: Demonstrating that legitimate interests are balanced against individual rights, especially when the processing is extensive or invasive.
Article 9 – Special Categories of Personal Data – The GDPR clause that re… #
Related terms: explicit consent, health data. Explanation: Processing special categories requires additional safeguards and a higher threshold of justification, often needing explicit consent or a statutory provision. Example: A telemedicine platform processes patient health records under the “medical diagnosis” exemption (Article 9(2)(h)). Practical application: Implement separate data‑flow maps for special‑category data, and enforce encryption at rest and in transit. Challenges: Managing consent withdrawal, ensuring that secondary uses (e.G., Research) meet strict conditions, and coordinating with cross‑border data transfers.
Articulation of Data Subject Rights – The systematic approach to recognis… #
Related terms: right to access, right to erasure. Explanation: Organisations must have processes to receive requests, verify identity, and act within statutory timeframes, while maintaining audit trails. Example: A social media platform provides a self‑service portal where users can download their data and request deletion. Practical application: Deploy an automated ticketing system that routes requests to the DPO and logs completion timestamps. Challenges: Scaling to high request volumes, handling complex “right to data portability” formats, and avoiding inadvertent disclosure during verification.
Automated Decision‑Making (ADM) – Any decision made solely by automated m… #
Related terms: profiling, human‑in‑the‑loop. Explanation: Under GDPR, ADM is restricted unless specific conditions are met, such as explicit consent or a legal obligation, and data subjects must be provided with meaningful information and the opportunity to contest. Example: An insurance company uses an AI model to set premiums without human review, triggering the ADM restriction. Practical application: Design ADM workflows that include a manual override step and provide clear explanations of the logic used. Challenges: Translating complex model decisions into understandable “meaningful information,” and ensuring that the fallback human review is not a token exercise.
Binding Corporate Rules (BCRs) – Internal data‑transfer mechanisms approv… #
Related terms: adequacy decision, Standard Contractual Clauses. Explanation: BCRs must demonstrate adequate safeguards, include enforceable data‑subject rights, and undergo a rigorous approval process. Example: A global logistics firm adopts BCRs covering all subsidiaries, enabling seamless shipment tracking data transfers between Europe and Asia. Practical application: Draft a BCR charter, conduct a privacy impact assessment, and submit the package to the lead supervisory authority. Challenges: Maintaining BCR compliance amid regulatory changes (e.G., Schrems II), and ensuring that third‑party processors adhere to the same standards.
Consent Management – The set of tools, policies, and processes that captu… #
Related terms: withdrawal, granular consent. Explanation: Consent must be freely given, specific, informed, and unamb‑ambiguous; it must also be as easy to withdraw as to give. Example: A mobile app uses a layered consent screen that separates consent for functional cookies, analytics, and targeted advertising. Practical application: Integrate a consent‑recording API that timestamps each user action and links it to the corresponding processing purpose. Challenges: Dealing with legacy systems that lack consent fields, handling consent across multiple devices, and proving consent in litigation.
Controller‑Processor Relationship – The contractual and functional linkag… #
Related terms: Joint controllership, Data Processing Agreement. Explanation: GDPR mandates a written Data Processing Agreement (DPA) that outlines responsibilities, security measures, and breach notification duties. Example: An online retailer (controller) outsources email campaign delivery to a marketing agency (processor) and signs a DPA covering data handling. Practical application: Maintain a central repository of DPAs, conduct annual supplier audits, and embed processor clauses in procurement contracts. Challenges: Identifying hidden joint‑controller scenarios, ensuring processors implement adequate technical safeguards, and managing sub‑processor notifications.
Data Breach Notification – The obligation to inform supervisory authoriti… #
Related terms: 72‑hour rule, risk assessment. Explanation: Notification must be made within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in risk to rights and freedoms. Example: A cloud storage provider discovers that an employee mis‑configured a bucket, exposing customer records; it notifies the regulator within 48 hours and informs affected customers. Practical application: Deploy a breach detection system, define a breach response playbook, and conduct tabletop exercises quarterly. Challenges: Accurately assessing risk severity, coordinating cross‑border notifications, and handling media scrutiny.
Data Minimisation – The principle that personal data collected should be… #
Related terms: purpose limitation, retention schedule. Explanation: Organisations must regularly review data inventories to eliminate unnecessary fields and reduce exposure. Example: A travel booking site removes optional “middle name” fields from its checkout form after a privacy audit. Practical application: Implement form‑validation rules that hide non‑essential fields, and automate deletion of obsolete records after the retention period. Challenges: Balancing business analytics needs with minimisation, and dealing with legacy databases that contain historic surplus data.
Data Protection Impact Assessment (DPIA) – A systematic process to assess… #
Related terms: risk register, privacy by design. Explanation: DPIAs are mandatory when processing is likely to result in a high risk to individuals, such as large‑scale profiling or processing of special categories. Example: A smart‑city initiative conducts a DPIA before installing facial‑recognition cameras in public spaces. Practical application: Use a DPIA template that includes a description of processing, necessity and proportionality analysis, and a mitigation plan. Challenges: Estimating likelihood and severity of harms, obtaining stakeholder input, and updating DPIAs as the project evolves.
Data Subject Access Request (DSAR) – A request by an individual to obtain… #
Related terms: right to access, verification. Explanation: The controller must respond within one month, providing the data in a structured, commonly used, and machine‑readable format where feasible. Example: A university receives a DSAR from an alumnus and delivers a CSV file containing all stored academic records. Practical application: Deploy an automated DSAR portal that pulls data from multiple systems, redacts irrelevant fields, and logs the response timeline. Challenges: Consolidating data from siloed applications, ensuring data accuracy in the response, and managing repeated requests.
Data Transfer Impact Assessment (DTIA) – An evaluation of the risks assoc… #
Related terms: SCCs, Schrems II. Explanation: The DTIA must consider the legal environment of the destination, the presence of supplementary measures, and the likelihood of government access. Example: A tech startup assesses the risk of sending user analytics to a US cloud provider after the European Court of Justice invalidated the Privacy Shield. Practical application: Document the assessment, apply encryption and pseudonymisation, and negotiate Standard Contractual Clauses with the provider. Challenges: Keeping up with evolving jurisprudence, quantifying “adequacy” of supplementary safeguards, and managing cross‑border incident response.
Data Retention Schedule – A policy that defines how long different catego… #
Related terms: storage limitation, archival. Explanation: Retention periods must be justified by the purpose, legal obligations, or legitimate interests, and reviewed regularly. Example: A payroll department retains employee salary records for seven years in accordance with tax regulations, then securely destroys them. Practical application: Configure automated deletion jobs in the data warehouse, and maintain a register of retention periods linked to data classifications. Challenges: Reconciling conflicting retention requirements (e.G., Tax vs. Litigation holds), and ensuring complete erasure across backups.
Data Subject Rights Management Platform (DSRMP) – Software that centralis… #
Related terms: workflow automation, audit trail. Explanation: A DSRMP streamlines compliance by routing requests to the appropriate owners, generating evidence of action, and providing reporting dashboards. Example: A multinational bank uses a DSRMP to handle “right to restriction” requests, automatically flagging relevant accounts for limited processing. Practical application: Integrate the platform with CRM and ERP systems via APIs, and set SLA metrics for each type of request. Challenges: Mapping rights to all data sources, handling multilingual requests, and ensuring the platform itself complies with data‑protection standards.
Data Protection Officer (DPO) – The designated individual responsible for… #
Related terms: independence, expertise. Explanation: The DPO must have expert knowledge of data protection law, operate autonomously, and report directly to senior management. Example: A fintech firm appoints a senior privacy counsel as its DPO, granting them authority to halt non‑compliant processing. Practical application: Provide the DPO with a budget, access to all processing records, and a seat at the governance board. Challenges: Balancing the DPO’s advisory role with operational pressures, and keeping the DPO’s expertise current amid rapid AI developments.
Data Protection Principles (GDPR) – The six core rules that govern lawful… #
Related terms: principle‑based compliance, risk‑based approach. Explanation: Each principle must be reflected in policies, technical controls, and organisational culture, forming the backbone of any privacy programme. Example: A SaaS provider embeds purpose tags in its database schema to enforce purpose limitation at the query level. Practical application: Conduct regular principle‑gap analyses and embed findings into the risk‑management framework. Challenges: Interpreting vague concepts such as “fairness” in diverse cultural contexts, and aligning all subsidiaries to a unified principle interpretation.
Data Subject Right to Erasure (Right to be Forgotten) – The entitlement o… #
Related terms: de‑identification, retention policy. Explanation: The controller must act without undue delay, unless an exception (e.G., Legal obligation) applies. Example: An online forum removes a user’s profile and all associated posts after the user requests deletion and no statutory retention applies. Practical application: Deploy a “delete‑on‑request” workflow that propagates the erasure command to all downstream systems, including backups. Challenges: Ensuring complete removal from immutable logs, handling requests that affect shared data, and documenting compliance for auditors.
Data Subject Right to Portability – The right to receive personal data in… #
Related terms: interoperability, API export. Explanation: Portability applies when processing is based on consent or contract and is carried out by automated means. Example: A music‑streaming service provides users with a downloadable JSON file containing their playlists and listening history. Practical application: Offer an export endpoint that packages data per GDPR specifications, and verify the format’s compatibility with common competitors. Challenges: Mapping data schemas across platforms, preserving data integrity during transfer, and handling third‑party content embedded in the export.
Data Subject Right to Restriction of Processing – The ability of individu… #
Related terms: temporary suspension, flagging. Explanation: When restriction is granted, the controller must store the data but may not process it further, except for storage. Example: A customer disputes a credit score calculation; the bank flags the record and halts any further profiling until the dispute is resolved. Practical application: Implement a “restriction flag” in the data model that disables downstream analytics pipelines for affected records. Challenges: Ensuring all downstream systems respect the flag, especially in distributed architectures, and tracking the duration of restriction.
Data Subject Right to Object – The right of individuals to object to proc… #
Related terms: opt‑out, marketing preferences. Explanation: Upon objection, the controller must cease processing unless compelling legitimate grounds override the objection. Example: A newsletter subscriber clicks an “unsubscribe” link, triggering an automatic stop to all marketing communications. Practical application: Maintain a central preference centre that synchronises opt‑out status across CRM, email, and analytics platforms. Challenges: Managing objections that span multiple processing purposes, and documenting the justification when processing continues.
Data Transfer Mechanisms – Legal tools that enable the movement of person… #
Related terms: SCCs, adequacy decision, BCRs. Explanation: Mechanisms include adequacy decisions, Standard Contractual Clauses, Binding Corporate Rules, and, where applicable, derogations such as explicit consent. Example: A European manufacturer uses SCCs to send order data to a supplier in India, supplementing the clauses with encryption and a data‑mapping annex. Practical application: Maintain a register of all cross‑border transfers, and perform periodic DTIA reviews to confirm continued adequacy. Challenges: Navigating the fallout from Schrems II, updating SCCs after the European Commission’s revision, and ensuring third‑party processors honour the clauses.
Data Protection by Design and by Default – The approach of embedding priv… #
Related terms: privacy‑by‑design, default settings. Explanation: This principle requires technical and organisational measures such as minimisation, pseudonymisation, and strong access controls to be integral to system architecture. Example: A mobile app requests location access only while the user is actively using a feature, and stores the data in an encrypted local database. Practical application: Conduct privacy‑impact design reviews during the software development lifecycle, and enforce “privacy‑first” UI patterns. Challenges: Aligning product roadmaps with privacy requirements, and avoiding “privacy fatigue” where users are overwhelmed by frequent consent prompts.
Data Quality Assurance – Processes that ensure personal data is accurate,… #
Related terms: data cleansing, master data management. Explanation: Inaccurate data can lead to wrongful decisions and regulatory penalties; therefore, organisations must implement validation, correction, and verification mechanisms. Example: An online retailer runs nightly scripts to validate email formats and prompts customers to confirm outdated shipping addresses. Practical application: Use automated data‑quality tools that flag anomalies, and provide self‑service portals for subjects to update their own records. Challenges: Balancing real‑time data updates with batch processing constraints, and handling conflicting data from multiple sources.
Data Security Measures – Technical and organisational safeguards designed… #
Related terms: encryption, access control. Explanation: GDPR requires “appropriate” security, which is assessed in light of the risk to the rights and freedoms of data subjects. Example: A health‑tech startup encrypts patient records with AES‑256 and enforces multi‑factor authentication for all staff. Practical application: Conduct regular penetration testing, maintain an up‑to‑date vulnerability management program, and document security policies. Challenges: Keeping pace with emerging threats, ensuring security controls do not impede legitimate data processing, and demonstrating proportionality to regulators.
Data Subject Right to Compensation – The entitlement of individuals to re… #
Related terms: liability, damages. Explanation: Compensation is not automatic; it must be claimed, and the controller may be liable if negligence is proven. Example: A consumer sues a ride‑sharing platform after a data breach leads to identity theft, and the court awards damages for emotional distress. Practical application: Maintain a liability insurance policy covering privacy‑related claims, and establish a claims‑handling process. Challenges: Quantifying non‑material harm, managing reputational impact, and coordinating with legal teams across jurisdictions.
Data Subject Right to Explanation (AI Transparency) – The emerging expect… #
Related terms: model interpretability, explainable AI. Explanation: While GDPR does not explicitly mandate a “right to explanation,” Recital 71 and supervisory guidance encourage clear communication of logic, significance, and consequences. Example: An e‑learning platform provides a narrative description of how its recommendation engine ranks courses for a learner. Practical application: Deploy model‑agnostic explanation tools (e.G., SHAP, LIME) that generate human‑readable summaries for each decision. Challenges: Translating technical model internals into layperson language, and balancing transparency with intellectual property protection.
Data Subject Right to Information (Transparency) – The requirement that c… #
Related terms: privacy notice, plain‑language. Explanation: Transparency is satisfied by privacy notices that cover identity, purpose, legal basis, data‑subject rights, and contact details. Example: A smart‑home device includes a QR‑code linking to an online privacy notice that explains data collection for voice commands. Practical application: Conduct a privacy‑notice audit, use layered disclosures, and test readability with target audiences. Challenges: Avoiding information overload, keeping notices up‑to‑date with evolving services, and ensuring accessibility for users with disabilities.
Data Subject Right to Rectification – The entitlement to have inaccurate… #
Related terms: accuracy, correction workflow. Explanation: Controllers must verify the request, correct the data, and inform any third parties who received the inaccurate data. Example: A banking customer notifies the bank of an outdated address; the bank updates the record and sends a confirmation to the customer. Practical application: Provide a self‑service portal where users can submit corrections, and automate propagation to downstream systems. Challenges: Coordinating updates across disparate databases, handling disputes over the correctness of data, and maintaining audit trails for regulatory proof.
Data Subject Right to Restriction (Temporary Suspension) – The right to l… #
Related terms: temporary hold, processing pause. Explanation: The controller must store the data but refrain from further processing, except for storage, unless the controller demonstrates compelling reasons. Example: An employee objects to the use of their performance data for promotion decisions; the HR system flags the record and disables any analytics until resolution. Practical application: Embed a “restriction flag” into the data model that disables downstream pipelines and logs attempts to process restricted records. Challenges: Ensuring all downstream services respect the flag, especially in micro‑service architectures, and tracking the duration of restriction.
Data Subject Right to Withdraw Consent – The ability of individuals to re… #
Related terms: opt‑out, consent revocation. Explanation: Upon withdrawal, the controller must cease processing based on that consent, unless another lawful basis applies. Example: A newsletter subscriber clicks an “unsubscribe” link, and the marketing platform automatically removes the email from all campaign lists. Practical application: Implement a consent‑management system that logs each withdrawal event with timestamp and reason, and triggers automated data‑deletion where appropriate. Challenges: Managing consent across multiple channels (web, mobile, offline), and ensuring that legacy systems honor revocation.
Data Subject Right to Object to Direct Marketing – A specific objection t… #
Related terms: do‑not‑call list, marketing preferences. Explanation: Under GDPR, individuals may object at any time, and the controller must respect the objection without further processing for marketing. Example: A consumer registers a “do not call” preference in a telecom provider’s portal; the provider disables all outbound marketing calls to that number. Practical application: Maintain a centralised suppression list that is consulted by all outbound marketing systems before any contact is made. Challenges: Synchronising suppression lists across global subsidiaries, and ensuring that third‑party vendors also respect the objection.
Data Subject Right to Access Logs (Audit Trail) – The entitlement to rece… #
Related terms: processing record, transparency. Explanation: While not a separate right, providing logs enhances transparency and can be part of a DSAR response. Example: An employee requests a log of who accessed their HR file; the employer provides a time‑stamped list of authorized accesses. Practical application: Enable logging on all data‑access points, and build a reporting module that extracts relevant entries for DSAR fulfillment. Challenges: Protecting the privacy of other data subjects appearing in the logs, and ensuring log integrity against tampering.
Data Subject Right to Lodge a Complaint – The ability of individuals to f… #
Related terms: supervisory authority, enforcement. Explanation: Controllers must provide clear contact details for the DPO and the relevant authority, and must not impede the filing of complaints. Example: A user files a complaint with the Irish Data Protection Commission alleging unlawful profiling by a social‑media platform. Practical application: Publish a “complaints” section on the privacy notice, and train staff on handling incoming complaints promptly. Challenges: Managing reputational risk, coordinating with legal counsel, and ensuring timely cooperation with investigations.
Data Subject Right to Compensation for Non‑Compliance – The possibility f… #
Related terms: liability, penalties. Explanation: Compensation may be awarded for material loss, emotional distress, or any other harm resulting from non‑compliant processing. Example: A consumer sues a data‑broker for unauthorized sale of personal data, and the court orders monetary compensation. Practical application: Incorporate potential liability costs into risk‑assessment models, and maintain a privacy‑incident response fund. Challenges: Predicting exposure, handling class‑action suits, and balancing settlement versus litigation strategies.
Data Subject Right to Receive a Copy of Personal Data (Portability) – The… #
Related terms: interoperability, JSON. Explanation: Portability applies when processing is based on consent or contract and is conducted by automated means. Example: A user requests a CSV export of their ride‑history from a transportation app to switch to a competitor. Practical application: Provide an API endpoint that streams data in a standard format, and verify that the export includes all relevant metadata. Challenges: Mapping proprietary data structures to open standards, handling large data volumes efficiently, and ensuring no loss of context during transfer.
Data Subject Right to Object to Scientific Research – The ability to oppo… #
Related terms: research exemption, public interest. Explanation: While GDPR provides a research exemption, individuals may still object if the processing is not strictly necessary or proportionate. Example: A university asks participants to opt‑out of a longitudinal health study after the initial consent period. Practical application: Include an opt‑out mechanism in the participant portal, and document the justification for continuing processing where objections are overridden. Challenges: Balancing scientific value against individual autonomy, and ensuring that objections are respected across multiple research partners.
Data Subject Right to Object to Automated Profiling – The right to preven… #
Related terms: profiling, human review. Explanation: When profiling is based on legitimate interests, the data subject may object, and the controller must cease processing unless compelling reasons exist. Example: A marketing firm uses behavioural profiling to target ads; a user objects, and the firm disables all profiling for that user’s identifier. Practical application: Implement a “profiling opt‑out” flag that is checked before any model inference is applied to a user’s data. Challenges: Detecting indirect profiling across multiple data sources, and documenting the justification if processing continues.
Data Subject Right to Restriction of Processing (Legal Claims) – The righ… #
Related terms: legal hold, evidence preservation. Explanation: The controller must retain the data but may not process it further, except for storage, until the claim is resolved. Example: An employee alleges wrongful termination based on inaccurate performance data; the employer places a restriction on further use of that data pending litigation. Practical application: Use a “legal hold” system that tags records, prevents further analytics, and ensures preservation for discovery. Challenges: Coordinating restriction across multiple systems, and ensuring that the restriction does not inadvertently affect unrelated business processes.
Data Subject Right to Access Personal Data (DSAR) – The entitlement to ob… #
Related terms: right to access, information provision. Explanation: Controllers must respond within one month, providing data in a commonly used electronic format where feasible. Example: A music‑streaming service delivers a ZIP file containing a user’s listening history, playlists, and account settings upon request. Practical application: Automate DSAR handling through a portal that aggregates data from CRM, analytics, and storage layers, and logs the response timeline. Challenges: Consolidating data from siloed applications, ensuring the export does not expose other users’ data, and handling repeated or excessive requests.
Data Subject Right to Request Limitation (Processing Pause) – The ability… #
Related terms: temporary suspension, restriction flag. Explanation: The controller must retain the data but may not use it for any purpose other than storage, unless a compelling reason overrides the request. Example: A customer disputes the accuracy of a credit score; the bank places a restriction flag on the record, halting further credit‑risk calculations. Practical application: Implement a “processing pause” workflow that automatically disables data pipelines for flagged records and notifies relevant stakeholders. Challenges: Ensuring all downstream services respect the pause, especially in real‑time analytics, and tracking the duration of the restriction.
Data Subject Right to Compensation for Emotional Distress – The entitleme… #
Related terms: psychological injury, non‑pecuniary loss. Explanation: Compensation is not automatic; it must be claimed and proven, often requiring expert testimony on the extent of emotional impact. Example: A victim of a data breach sues for anxiety and loss of sleep, and the court awards a sum for non‑pecuniary damages. Practical application: Maintain documentation of breach impact assessments, and work with legal counsel to evaluate potential compensation exposure. Challenges: Quantifying intangible harms, managing public relations, and navigating differing national standards for emotional distress awards.
Data Subject Right to Object to Direct Marketing (Do‑Not‑Contact) – The s… #
Related terms: opt‑out, marketing suppression. Explanation: Once exercised, the controller must ensure that the individual's data is excluded from all marketing channels. Example: An e‑commerce site adds a user’s email to a “do‑not‑email” list, and all campaign tools automatically exclude that address. Practical application: Centralise marketing preferences in a master data‑management system that synchronises with email, SMS, and push‑notification platforms.