Data Subjects

What are data subjects?

A data subject is an individual who can be identified, either directly or indirectly, via a qualifying identifier. The identifier could be an ID number, a name, a location, or other factors about that person.

The term is most commonly used in relation to the General Data Protection Regulation (GDPR) in the European Union in connection to personal data that could be collected about people. One of the primary goals of GDPR is to protect personal data and ensure that any businesses using the data do so with the full consent of the data subject. 

In most business cases, data subjects are employees or customers of the company. Some circumstances may require revealing the personal information of a data subject for analysis. Using data de-identification tools, companies can extract the most important pieces of data from these subjects without their personally-identifiable information being put at risk of a data breach.

Types of data subjects

Who a data subject is primarily depends on what information a business collects and how the subjects relate to the company. Some of the most common types are:

• Employees. Businesses hold large amounts of data about their workers, from personal details like residential address, Social Security number, and date of birth, to financial details like bank account information. Employees usually comprise the largest percentage of a company’s database.
• Customers. After employees, this is typically the next largest percentage. Depending on the type of business, some companies may have vast amounts of very personal data on these subjects. Others may simply have a name, address, and payment information from previous purchases.
• Suppliers or vendors. Any business that works with other companies has basic information in their databases regarding their vendors. Like customers, this information could be minimal, but is still considered private information about these specific data subjects.
• Job applicants. When companies hire new employees, they gather data at each stage of the application process. This is particularly the case for online applications, where tracking details may be recorded for each applicant, along with the information they enter about themselves on job forms.
• Prospects. For businesses actively looking to build their client list, a record of prospective customers may also be collected. A customer relationship management system (CRM) can store information about prospects so that the sales team is empowered to nurture those leads and turn them into paying customers.
• Next of kin. HR may hold onto next of kin in case of an employee emergency. Certain industries like healthcare may have more information about next of kin should medical decisions need to be made.

Basic elements of data subjects

Every individual has numerous identifiers that a business could store to pinpoint them as a data subject. These include:

• Name. This is the most common identifier that businesses will have about employees, customers, or vendors. Some companies hide or encrypt this information to protect the identity of data subjects.
• Identification number. An ID number could be assigned to a data subject or they could already have one of their own, such as a passport or driving license number, which can be input into a database for identification.
• Physical address. In most cases, the address assigned to a data subject will be their home or office location.
• Email address. A business or personal email address will be recorded for all types of data subjects so that a business can easily contact them if necessary.
• Photograph. Some businesses keep visual information about their data subjects. Employee photos may be attached to their personnel file and held by HR. Law enforcement keeps photographic records of individuals who have been arrested or held in custody.
• Biometric data. Retina scans or fingerprint data may also be maintained by some companies, especially those who work in heavily secured industries. Some technology companies also use this information when data subjects need to access office locations or certain business systems.

Under GDPR regulations, a data subject should also fit into one of five categories:

• Located in the EU
• A resident of the EU
• A citizen of the EU
• An EU resident or citizen outside the EU
• Have personal data held within the EU

Best practices for data subjects

Every business has several data subjects, regardless of type. Protecting their information is critical, so organizations should follow several best practices.

• Controlling access to data subject information. Not everyone within a business needs access to the same level of data subject information. For employees, the HR team should manage this data, while customer information doesn’t need to be shared outside of sales and marketing departments. Keeping data subject information to the smallest necessary group safeguards personal details.
• Encrypting data at all levels. Cybersecurity breaches are on the rise, so protecting sensitive information from outside hands is essential. By encrypting data before sharing it, the information becomes harder for unauthorized users to access.
• Regularly performing cybersecurity audits. Encrypting data isn’t enough when it comes to cybersecurity. IT teams should be regularly evaluating the company’s security practices to look for vulnerabilities in the system and making necessary updates to prevent any data breaches from occurring.
• Complying with industry regulations. Companies must ensure that personal data protections continue to meet the agreed-upon standards in place, particularly when working with data subjects in the EU or within highly regulated industries.

Protect your company’s stored data and guarantee the safety of your data subjects’ most personal information using database security software.