What Is a Data Subject? A Complete Guide for Tech Companies
What Is a Data Subject?
A data subject is a living, identifiable natural person to whom personal data relates. Under data protection regulations such as the General Data Protection Regulation (GDPR) and UK GDPR, the term specifically refers to an individual whose personal information is collected, processed, stored, or used by an organisation.
Put simply: if your business handles information about a person - a customer, employee, website visitor, or supplier - that person is a data subject.
The concept sits at the heart of modern data protection and privacy law. Whether you're a SaaS company processing customer records, a fintech handling transaction data, or any organisation running digital services, understanding who your data subjects are is the first step toward compliance with frameworks including GDPR, ISO 27001, and SOC 2.
The Legal Definition of a Data Subject
GDPR and UK GDPR Definition
Article 4 of the GDPR defines a data subject as:
"An identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
The UK GDPR carries the same definition. At its core, this means:
Natural person: A living individual, not a company or organisation.
Identified or identifiable: Someone who can be singled out using data, either directly (e.g., name, email) or indirectly (e.g., IP address, cookie ID, device fingerprint).
Any information: Data in any format - digital, paper, photo, audio, or video - that relates to that person.
What Makes Someone Identifiable?
A person is considered "identifiable" if you can distinguish them from others using the data you hold, or by combining your data with other reasonably accessible information. This doesn't require certainty - if identification is possible with reasonable means, the data is personal, and the person is a data subject.
Examples of identifiers:
Direct: Full name, national insurance number, passport number, employee ID
Indirect: IP address, browser cookies, mobile advertising ID, vehicle registration, geolocation data, transaction history
Even seemingly anonymous data can make someone identifiable. For example, if a dataset includes postcode, age, and gender, it may be possible to identify a specific person when cross-referenced with public records.
Common Examples of Data Subjects
Every organisation processes data about multiple categories of data subjects. Here are the most common:
1. Customers and Clients
Anyone who purchases or subscribes to your products or services. This includes:
Names, email addresses, and contact details
Payment and billing information
Purchase history and preferences
Support ticket logs and correspondence
For SaaS companies, customers are often the largest category of data subjects. Every user account, transaction record, and interaction generates personal data.
2. Employees (Current, Former, and Prospective)
Your workforce and job applicants are data subjects. Employee data often includes:
Personnel files and HR records
Payroll and bank account details
Performance reviews and disciplinary records
Timesheets, attendance logs, and leave records
Health and background check information
This category often includes special category data (sensitive data) such as health records or equality monitoring information, which require higher protection under GDPR Article 9.
3. Website Visitors and Users
Anyone who visits your website or uses your app, even without creating an account:
IP addresses and device identifiers
Cookie data and browsing behaviour
Geolocation data
Form submissions and chat interactions
Even anonymous browsing can create identifiable data when combined with other information, such as login events or marketing analytics.
4. Prospective Customers (Leads)
Individuals who have shown interest but haven't yet purchased:
Contact forms and demo requests
Marketing email lists and newsletter subscribers
Event attendees and webinar participants
Downloaded content (whitepapers, guides)
5. Suppliers, Partners, and Contractors
Individuals acting on behalf of third-party organisations:
Sole traders and freelancers
Vendor representatives and their contact details
Partner account managers
6. Visitors to Physical Premises
Individuals captured by visitor logs or CCTV:
Sign-in sheets and visitor management systems
Security footage
Access card logs
Data Subjects vs. Data Controllers vs. Data Processors
Understanding the distinction between data subjects, data controllers, and data processors is fundamental to compliance.
| Role | Definition | Example |
|---|---|---|
| Data Subject | The living individual whose personal data is being processed | A customer whose email and purchase history are stored |
| Data Controller | The organisation that determines the purposes and means of processing personal data | Your SaaS company deciding to collect customer emails for marketing |
| Data Processor | A third party that processes data on behalf of the controller | A cloud hosting provider or email marketing platform used by your company |
Key Points
Data subjects have rights over their personal data.
Data controllers have responsibility and accountability for protecting that data.
Data processors must follow the controller's instructions and maintain appropriate security measures.
For example, if your SaaS company uses a third-party CRM to manage customer contact data, you are the data controller (you decide what data to collect and why), the CRM provider is the data processor (they process the data on your instructions), and your customers are the data subjects (their data is being processed).
Data Subject Rights Under GDPR
Data subjects are not passive. Under GDPR and UK GDPR, individuals have eight core rights over how their personal data is collected, used, and stored. Controllers must be able to respond to these rights efficiently and within legal timeframes (typically one month).
1. Right to Be Informed
Data subjects have the right to know what data is being collected, why, how long it will be kept, and who will see it. This is typically addressed through privacy policies, cookie banners, and fair processing notices.
2. Right of Access (Subject Access Request)
Individuals can request a copy of all personal data an organisation holds about them. This is known as a Data Subject Access Request (DSAR).
Example: An employee requests copies of their personnel file, payslips, and performance reviews.
3. Right to Rectification
Data subjects can ask for inaccurate or incomplete data to be corrected.
Example: A customer notices their delivery address is outdated and requests it be updated.
4. Right to Erasure (Right to Be Forgotten)
Under certain conditions, individuals can request deletion of their personal data - especially if it's no longer necessary, consent is withdrawn, or processing was unlawful.
Example: A former subscriber asks a SaaS company to delete their account and all associated data.
5. Right to Restrict Processing
Data subjects can request that processing be paused while a dispute (e.g., accuracy of data) is resolved, without requiring deletion.
6. Right to Data Portability
Individuals can request their data in a structured, commonly used, machine-readable format (e.g., CSV, JSON) to transfer it to another service.
Example: A user exports their playlist data from one streaming service to move to a competitor.
7. Right to Object
Data subjects can object to processing for certain purposes, particularly direct marketing, profiling, or processing based on legitimate interests.
Example: A customer opts out of receiving marketing emails.
8. Rights Related to Automated Decision-Making and Profiling
Individuals have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects, unless specific conditions are met.
Example: A loan applicant requests human review of an automatically rejected application.
Special Categories of Personal Data (Sensitive Data)
Not all personal data is equal. Special category data (defined in Article 9 of the GDPR) refers to sensitive information that requires additional protection and stricter lawful bases for processing.
What Qualifies as Special Category Data?
Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic data
Biometric data (e.g., fingerprints, facial recognition)
Health data (physical or mental)
Data concerning sex life or sexual orientation
Why It Matters
Processing special category data is prohibited by default under Article 9 unless one of the specific exceptions applies, such as:
Explicit consent from the data subject
Processing necessary for employment, social security, or social protection law
Protecting vital interests (e.g., life-or-death medical situations)
Processing necessary for medical diagnosis or health care
Substantial public interest
For tech companies, this is particularly relevant if you:
Collect health or wellbeing data (e.g., fitness apps, mental health platforms)
Use biometric authentication (fingerprint or facial recognition)
Conduct equality monitoring among employees
Handle patient or medical records
Data Subjects in the Context of ISO 27001 and SOC 2
While GDPR is a data protection regulation, ISO 27001 and SOC 2 are information security standards. However, all three intersect strongly when it comes to protecting personal data and the rights of data subjects.
ISO 27001 and Data Subject Protection
ISO 27001 is an internationally recognised standard for establishing an Information Security Management System (ISMS). It requires organisations to manage risks to all types of information, including personal data.
Relevant controls include:
Access control (Annex A.9): Ensuring only authorised personnel can access data subject information.
Encryption (Annex A.10): Protecting personal data in transit and at rest.
Data masking and pseudonymisation (Annex A.8.11): Reducing the identifiability of data subjects where full data is not required.
Incident management (Annex A.16): Responding to personal data breaches.
For SaaS companies pursuing ISO 27001, demonstrating how you protect data subjects - particularly customer and employee data - is a core component of certification readiness.
SOC 2 and Data Subject Rights
SOC 2 is a compliance framework widely recognised in North America, structured around five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
The Privacy criterion specifically aligns with data subject rights, requiring organisations to:
Allow data subjects to access, update, or correct their personal data
Provide a clear notice about data collection and use
Obtain consent where required
Ensure secure disposal of personal information when no longer needed
SOC 2 Type 2 audits evaluate whether these controls are not only designed appropriately but also operating effectively over time - critical for demonstrating ongoing respect for data subject rights.
For companies operating in both the UK/EU and North America, aligning SOC 2 audit preparation with GDPR obligations creates a unified compliance posture that protects data subjects while meeting diverse customer and regulatory expectations.
Why Understanding Data Subjects Matters for Compliance
Knowing who your data subjects are and what data you hold about them is not optional - it's a legal and operational necessity.
1. Legal Compliance
Failing to recognise data subjects and their rights can lead to:
Non-compliance with GDPR, UK GDPR, and other privacy laws
Fines up to €20 million or 4% of global annual turnover (whichever is higher)
Regulatory investigations and enforcement action by the Information Commissioner's Office (ICO) or other supervisory authorities
2. Customer Trust and Sales Enablement
Modern buyers - especially enterprise customers - expect robust data protection. Being able to clearly articulate how you handle data subject information supports:
Security questionnaires and vendor due diligence processes
Proof of compliance during procurement
Competitive differentiation in crowded markets
3. Operational Efficiency
Understanding your data subjects allows you to:
Map data flows and processing activities accurately
Respond efficiently to Data Subject Access Requests (DSARs)
Implement effective data retention and deletion policies
Streamline audit preparation for ISO 27001, SOC 2, and privacy assessments
4. Risk Management
Identifying where sensitive data about data subjects is stored, who has access, and how it's protected reduces the risk of data breaches, unauthorised access, and reputational damage.
Practical Steps: How to Manage Data Subject Information
Here are actionable steps for SaaS and tech companies to ensure they handle data subject information compliantly and securely.
Step 1: Identify Your Data Subjects
Create a clear inventory:
Who are your data subjects? (Customers, employees, website visitors, etc.)
What categories of personal data do you collect for each group?
Where is this data stored? (CRM, HR systems, cloud storage, databases, backup systems)
Step 2: Document Your Legal Basis for Processing
For each category of data subject and data type, identify:
Why you're processing the data (purpose)
What legal basis you're relying on (e.g., consent, contract, legitimate interest, legal obligation)
How long you'll retain the data
This forms the foundation of your Record of Processing Activities (ROPA), required under GDPR Article 30.
Step 3: Implement Data Subject Rights Processes
Ensure you can respond to:
Access requests: Can you provide a copy of all data about an individual within one month?
Rectification requests: Can you update inaccurate data quickly?
Erasure requests: Can you delete data securely across all systems, including backups?
Objection requests: Can you stop processing for specific purposes (e.g., marketing)?
Automation and clear workflows reduce response times and compliance risk.
Step 4: Apply Appropriate Security Controls
Align with ISO 27001 and SOC 2 principles:
Encryption: Protect data in transit (TLS) and at rest (AES-256 or equivalent)
Access controls: Implement role-based access (RBAC) and the principle of least privilege
Logging and monitoring: Track who accesses data subject information and when
Data masking: Where full identifiers aren't needed, pseudonymise or anonymise data
Step 5: Train Your Team
Ensure employees understand:
What personal data is and who data subjects are
Their responsibilities under GDPR and your internal policies
How to recognise and escalate data subject requests
How to handle data securely (e.g., not sharing customer data via unencrypted email)
Step 6: Review and Audit Regularly
Data processing activities change as your business grows. Schedule:
Quarterly reviews of your ROPA
Annual audits of data subject rights response processes
Regular penetration testing and vulnerability assessments
Third-party audits (ISO 27001, SOC 2) to provide independent assurance
Common Mistakes to Avoid
1. Treating All Personal Data the Same
Not all data carries the same risk. Sensitive data (Article 9) and data about children require stricter handling. Failing to classify data appropriately increases compliance risk.
2. Ignoring Indirect Identifiers
Many organisations assume data is anonymous if it doesn't include a name. However, IP addresses, device IDs, and behavioural profiles can still identify individuals, making them data subjects.
3. Poor Vendor Management
Third-party processors (e.g., cloud providers, analytics tools, CRMs) also handle data subject information. Failing to conduct due diligence or sign appropriate data processing agreements (DPAs) creates liability.
4. Inadequate DSAR Processes
Data Subject Access Requests must be completed within one month. Organisations without clear processes or data maps often struggle to respond on time, leading to regulatory complaints.
5. Failing to Update Documentation
Your Record of Processing Activities, privacy policies, and data maps must be kept current. Outdated documentation undermines compliance efforts and makes audits harder.
Conclusion
Understanding what a data subject is - and how to protect their personal data - is fundamental to legal compliance, customer trust, and operational resilience. For modern SaaS and tech companies, data subjects include not only customers but also employees, website visitors, leads, and more.
Compliance with GDPR, UK GDPR, ISO 27001, and SOC 2 all hinge on your ability to identify data subjects, document how you process their information, respect their rights, and secure their data against unauthorised access or breaches.
At Tempo Audits, we specialise in helping fast-growing tech companies navigate the complexities of ISO 27001 certification and SOC 2 audits with a focus on practical, tech-native compliance. Whether you're building your first ISMS, preparing for an audit, or strengthening your data protection posture, we provide plain-English guidance and collaborative support designed around your stack and your team's realities.
If you're ready to simplify your compliance journey and demonstrate strong data subject protection to customers and regulators alike, get in touch with Tempo Audits today.