One of the most surprising things about the GDPR is its failure to specifically define who is a “data subject.”
Despite the centrality of this concept to the GDPR, the only meaningful definition of data subjecti is embedded in the broader delineation of Personal Data in Article 4.
'[P]ersonal data’ means any information relating to an identified or identifiable natural person (‘data subject’)
Parsing that language, the data subject is not necessarily the data custodian. It is the natural person about whom the data speaks. As we explained in a previous post, the data subject in the GDPR is only a natural, not legal, person.
This distinction can cause some confusion for eDiscovery practitioners who are used to data ownership by custodians. In that case, rights and responsibilities for data are based on who owns, maintains, or has data. The GDPR flips that on its head. The data subject—the identified or identifiable natural person about whom the data exists—has most of the rights related to the data itself. By way of example, a CRM database may have one custodian at an organization who would own or manage the system. The CRM itself would in turn have myriad data subjects—any identified or identifiable natural person listed in the database. This concept—that the rights to data belong to the person about whom the data exists rather than the owner of the data—will be central to several of our upcoming topics on the GDPR.