A (gentle) introduction to data privacy regulations for IO Practitioners: The rights of the data subject.

In our previous article, we discussed the basics of data privacy and protection, as codified in acts such as the General Data Protection Regulation (GDPR), the Protection of Personal Information (POPI) act and others. Being conversant with the such legislation is fast becoming a normal component of the toolset that IO Practitioners need to draw upon in their day-to-day activities.

In today’s article, we’ll take a closer look at the rights extended to data subjects and what IO Practitioners need to know about them.

What is a data subject?

The somewhat awkward term of data subject refers to anybody that has their data collected by either a data processor or controller (terms we covered in our previous article). And by “their data,” we are referring to any information that is collected on the data subject.

Important to note is that this includes both actively obtained data (i.e. data acquired through questions asked, forms being filled in, etc.) as well as passively obtained data (i.e. data on the person’s behavior on a website, data on pages viewed, etc.).

Of course, at any given time, data controllers and processors may be data subjects themselves, depending on the situation.

The rights of data subjects

If there is a single reason for the renewed interest and activity regarding data privacy and protection, it is the question of what people’s rights are in relation to their own personal data.

In broad terms, data privacy acts like GDPR aim to protect people from companies that want to use their personal data without the appropriate consent or security. In a narrower sense, privacy acts ascribe specific rights to data subjects that enable such protection.

Here is a summary of the basic rights of data subjects, as sketched out in the GDPR (but which are also very similar across different privacy acts):


Although not technically a right, the cornerstone of all privacy regulations is that individuals must have the opportunity to consent to having their personal data collected and stored.

Companies are therefore not allowed to use various “consent manufacturing” techniques such as “opt out” forms that assume consent or taking no objections (i.e. silence) to necessarily mean that consent has been given.

An important proviso to this requirement is that consent can be assumed in regard to conducting assessments as part of regular recruitment and talent management processes. That’s because regulations like GDPR are not meant to replace professional conduct rules such as those provided by the HPCSA and other professional associations, which clearly do give practitioners permission to assume consent in such cases.

In addition, candidates who undergo assessments do so voluntary and with full knowledge of the process, so data privacy regulations are generally not relevant in such processes.

Consent is relevant in regard to mechanisms that practitioners may use to capture the personal details of people who interact with their businesses but who are not part of a talent assessment process, such as subscribing to newsletters, or filling in contact forms online.

Information about data being collected

Data subjects have the right to knowing among other things, why, how, and for how long their data will be collected and kept by companies.

Access to data

Data subjects have the right to access their personal data being held by companies. This is not necessarily an absolute right, so cost implications, IP rights and other considerations may still apply.

Correction of data

Data subjects can request that incorrect personal data be corrected.

The right to be forgotten

Data subjects can ask for their data to be erased when it is no longer needed. Again, this right is conditional on several factors, such as the original purpose for the collection having expired, or that no legal reasons exist for the information to be retained.

These restrictions are important to note: it prevents the arbitrary or unwanted erasure of data that is used in essential talent management processes in organisations on a daily basis.

Object and restrict use

Data subjects may object to a company using their personal data for specific purposes, as well as request that the use of personal data be restricted. This right is in effect even when initial consent was given to collect the data. In other words, data subjects may at any time during data collection or processing object to the use of their personal data.

However, data subjects who object to the processing of their data are not exempt from the consequences of such restrictions, such as their application no longer being processed, for instance.

Data portability

Data subjects may request that their data is transferred to another data controller in a portable format. This should be measured against costs and technical feasibility, however. An additional consideration is ownership of the data.

If an assessment was done as part of a legal requirement or talent management intervention, the data belongs to the commissioning organization. In cases like these, the request to transfer data is dependent on the consent of the contracting or controlling organization.

Automated decision-making

Data subjects have the right to object to them being profiled through automated processes when it affects their legal standing or opportunities. This refers to using biometric or demographic data in a completely automated manner to make decisions about people, such as their credit rating for instance.

IO Practitioners may feel conflicted about this right, since we know that better talent decisions are made when using algorithmic principles. But because talent decisions using assessment data are always a human-mediated process, even when algorithms and AI may be involved somewhere along the line, this restriction does not really apply to such practices.

In fact, one of the consequences of this right is that data subjects may request that automated decisions be reviewed by a human, something that IO Practitioners do as part of their day-to-day activities. Privacy acts like GDPR only demand that there be a break between the automated recommendation using algorithmic principles and the final human decision, something that is core to IO Psychological practice already.

How to ensure that data subjects’ rights are protected

Based on the above, it may seem daunting to ensure that you comply with data privacy regulations, especially when data subject rights are concerned. But it’s actually quite simple. Here are three key principles to keep in mind:

  1. Obtain consent. As mentioned above, a cornerstone principle of data privacy is to make sure that you have data subjects’ consent to both gather and use their personal information. That means that if you’re capturing personal data in contact or subscription forms on your website, you need to ensure that visitors have clear ways of consenting or not consenting to having their data collected.Note that this requirement can be fulfilled in multiple ways. For instance, visitors may be directed to information on how to switch off the use of cookies to capture their data, but you are not obliged to do that for them. In general, you should avoid tricky “opt-out” solutions and make it clear that you require the person to explicitly give you permission to use their personal data in any marketing activities you have planned.As mentioned earlier however, when you collect data as part of a legal or contractual agreement, it is not necessary to get explicit consent from participating individuals.For example, candidates participating in assessments as part of a job application will have received notifications about the need and purpose of the assessments. The practicing IO Psychologist can in cases like this assume informed consent since information about the assessments and their use were part of the notifications and process leading up to the assessments.It’s important to note that informed consent is not a form or tick box but a process. The goal of the informed consent process is to provide sufficient information so that a participant can make an informed decision about whether or not to enroll or to continue their participation.  Therefore, the invitation to participate in talent assessments, the nature, duration and purpose of data usage must be written in language easily understood by candidates.
  2. Have a ready-made process for data requests. Data privacy regulations give data subjects far more discretion regarding how their information is used and stored. As a result, they can request their data to be deleted, transferred or altered. Given this, it makes sense to have a process you can easily implement when such requests come your way. Designing one once you’ve received your first data request is probably too late.In such a process, make sure that you understand who will deal with the request, how and when you are allowed to pass on data, and what you consider to be reasonable requests for data. In this regard, keep in mind that acts like GDPR don’t force data controllers or processors to action data requests free of charge. If a data request will be particularly onerous to fulfil, you may want to charge for your efforts. Remember to keep data ownership in mind. As previously discussed, it may be dependent on the contractual agreements made to and by the commissioning organization.
  3. Be reasonable. Enacting regulations like GDPR may seem like yet more unwanted red tape, but it’s worth acknowledging that they protect everybody, including you. At heart, data privacy acts want to prevent unscrupulous companies from misusing our personal data and to stop them from subjecting us to unwanted spamming and invasion of privacy.It’s useful to keep that in mind when dealing with data rights and requests. In most cases, a reasonable, empathic approach to legitimate concerns regarding privacy is the right attitude to adopt.


Final thoughts

In this series of articles, we have tried to demystify and clarify data privacy regulations as they pertain to IO Practitioners. In our next and final article, we’ll look at some practical steps professionals can take to ensure full compliance with acts related to the protection of personal data.

If you have questions about this article, or would like to see what else TTS can help you with, why not drop us a line at info@tts-talent.com?