How to deal with a data subject access request under GDPR
Inés Rubio provides her top tips for handling data subject access requests
The GDPR has shone a light on Data Subject Access Requests (DSARs) since being enforced more than a year ago. In fact, a recent survey revealed that DSARs have increased by 56% since the implementation of GDPR and 67% of organisations have experienced an increase in costs associated with the process in responding to data requests. This won’t come as a surprise to marketeers as customers continue to become more aware of how their data is used as a result of GDPR.
What is a data subject access request?
A sata subject access request is the process by which European citizens and residents can obtain a full account of all personal data an organisation holds on them, an explanation as to why this information is being held, and copies of this data. Under the GDPR, companies are expected to complete DSARs within one month – previously it was 40 days.
The way in which organisations can receive a DSAR has expanded outside of the traditional postal option with the introduction of the GDPR also. Requests can be made by email, in person or by phone, through a live chat portal, or even via social media channels.
With the number of requests understandably predicted to rise over the next year as more people become aware of their rights under the GDPR, marketing professionals need to be prepared. They need to know where personal data is stored and what the data contains in order to fulfil a request from clients.
How to streamline your response to a data subject access request
Preparation is key with regards to DSARs. Marketeers need to be ready and aware so that too much pressure isn’t placed on them when they are required to respond.
By streamlining the process and establishing working methods and data flows that complement existing processes, organisations can reduce the impact on resources.
6 top tips to handling data subject access requests
- Know where data is stored, what it contains and understand what your organisation is doing with the data (and scope accordingly).
- Be vigilant with other people’s data. Any sensitive data related to other people will need to be removed or redacted/masked to ensure it is not disclosed to an unauthorised person.
- Map your infrastructure and data flows: where are employees storing the data; how is it protected and who has access to it?
- Work with your nominated data protection officer (DPO) or privacy officer (PO) or the core data management and privacy team, to act as the primary point of contact for DSARs.
- Make sure you have the necessary tools so that you can easily access, search and export the data when requested, to assist with:
- Filtering the data via key words/data analytics
- Processing data types used by the organisation: Slack, Teams, WhatsApp, etc.
- Deduplication of data
- Having an audit log of actions taken during the review.
6. Implementing a managed DSAR automation service will streamline the process including centralized cloud applications for searching, reviewing, analysing and automated redaction.
It should be relatively simple for marketing professionals to search for personal data and provide it to the data subject who has requested it. However, in practice, this process can often be timely and complex if organisations don’t have the necessary tools or resources to meet the demand. Research has shown that 20% of organisations have had to adopt new software/technology to deal with the growing trend.
Implementing a streamlined DSAR process, for either a large or small organisation, will not only reduce the impact on resources, it will also ensure that the requester receives all relevant details in a timely and compliant manner.