Data Subject Requests
Data subject rights form part of data protection regulation across the globe. They provide individuals with rights in relation to any personal information your organisation may be processing on them. GDPR identifies 8 different rights the individual has – to be informed, access, rectification, erasure, restriction of processing, data portability, object and not to be subject to automated decision making. Each of these must be responded to within 30 days and normally no charge can be levied. Repeated failure to meet these metrics can lead to regulatory intervention.
While data subject rights are not new in legislative terms, there are changes in the dynamics around how they are received. As people become more aware of their personal information, the volume of data subject requests increases. This is compounded by a new entrant to the market, request brokers, who submit regulatory requests on behalf of individuals. These two factors have led to a new set of challenges that organisations must address:
- Volumes of data subject requests are increasing and becoming more complex, driving cost up, requiring more efficient and effective ways of responding
- Organisations are collecting significantly more personal information today, making the assimilation of information to be provided more costly and time consuming
- Data subject requests are typically received on a case by case basis, but the emergence of request brokers has meant that multiple requests can be submitted simultaneously, introducing the concept of ’SAR bombing’
When these challenges are combined with an organisations responsibility to demonstrate accountability under GPDR, there is the potential for cost escalation. Balancing compliance and cost can be difficult. To support our clients, we have developed a series of propositions that allow our clients to assess, improve and assure data subject request processes, ensuring an optimal outcome can be achieved.
Data Subject Rights Health Check
Individuals have a range of data subject rights under GDPR - all of which must be responded to within 30 days. Should an organisation fail to meet these timescales there are impacts – repeated infringement could result in regulatory intervention or fines. Additionally, there will be a loss of customer confidence.
Balancing the cost of responding to data subject requests with compliance responsibilities, can be a difficult balance to strike. The challenge is to make them as efficient and effective as possible.
To help clients strike this balance we have developed a data subject rights health check that will provide you with:
- An understanding of which data subject rights are applicable by legal basis for processing;
- An assessment of the effectiveness of data subject request processes;
- A review of relevant governance, issue resolution and training to support data subject requests;
- Recommendations as to efficiency improvements that could be made;
- A set of prioritised recommendations tailored to your organisation.
This work can be used for internal validation of your response processes, identify activities for improvement or form a key cornerstone in evidencing GDPR compliance.
We created DP Assure as a serviced based approach to providing privacy & data protection advice to our clients. Our aim is to be an extension of your team, acting as a trusted advisor. By getting to know you, we will be in a better position to offer you pertinent and timely advice.
Our experience is that the majority of clients are looking for support and guidance when responding to data subject requests, rather than someone to do it for them. As part of DP Assure, we provide advice, guidance and templates for responding to data subject requests, supporting you through the process. We will already have gotten to know your organisation, putting us in a unique position to offer relevant, targeted advice & recommendations to facilitate your responses. This is an alternative approach to conventional consulting, providing you with a cost effective approach to addressing regulatory change.
If this sounds interesting, see DP Assure for more information.