For a significant-scale company, automation of personal data management is necessary to meet the key requirement of GDPR. People have the right to manage personal data and to be informed about their collection and use. You should be ready to provide information about the purpose of data processing at any time.
The rules regarding personal data management, lawfulness of their processing and obligations regarding the processing of special categories of personal data extend much further than the rights of the data subject. However, if data subjects wish to exercise one of their rights, then the controller (and processors) must be able to exercise that right.
The most difficult obligation of the GDPR for companies in 2019 was the exercise of the right to be forgotten."
Enabling data subjects to exercise their rights is a difficult process and a technological challenge. Considering that the data of one person is usually scattered over many systems, the fulfilment of each of these obligations involves checking and collecting data from all potential data sources. Be it a large IT environment or a smaller one, but with a lot of unstructured data – personal data management is a very demanding task.