So next we're going to cover DSR or Data Subject Rights. Now, so this all makes sense, there are a couple of terms that you will need to get familiar with. The first one is data subject. Now a data subject is the person whose identifiable data is being held. So for example, if you're a citizen of the EU and Cloud Academy held some data on you that would mean you would be the data subject.

The next term is data controller, which is sometimes just called the controller. Now the controller is the organization that is holding the data. So in the last example, Cloud Academy would be the data controller.

The third term that you need to know is the processor. The processor is the entity that is storing the data on behalf of the controller. So let's imagine Cloud Academy is storing all of your personal data in SharePoint that makes Microsoft the processor as Microsoft is actually processing and storing that data on behalf of the controller Cloud Academy.

So now we have those definitions out of the way, what actually is a DSR? So with the GDPR it gives data subjects the following rights for their personal data. To obtain copies of their personal data, to request corrections of their personal data, to restrict processing of their data, to delete their data, and also to receive their data in an electronic format so it can be moved to another controller.

A formal request by the data subject to the data controller to take any of these actions is called a Data Subject Rights Requests or a DSR Requests for short. Now as a data controller, you are obligated to promptly consider each DSR Request and provide a substantive response either by taking the request action or by providing an explanation to the data subject why the DSR cannot be accommodated by the controller.

It is advised to consult with legal or compliance advisors inside of your organization or outside of your organization regarding the proper disposition of any DSRs. There are several processes that may be involved in completing a DSR. The first one is the discovery process. This will be involved in all DSR Requests as you cannot act on a DSR without actually discovering the data.

The access process is the retrieval and potential transmission to the data subject of the discovered data. The rectify process is when the data subject has requested changes to their personally identifiable data and you as the data controller will implement the changes or requests the changes to the data. The restrict process as it sounds like, is changing the access rights to the personal data, or even possibly moving it out of the Microsoft cloud.

The export process is similar to the access process but in the export process you are providing a structured machine-readable format of that data. The basis of this is because the data subject has the right to data portability or to move that data to a different data controller. Exporting the data gives the data subject the means to do this. The delete process, now this one's pretty straightforward, it is the removal of personal data from the Microsoft cloud.