The EU’s General Data Protection Regulation (GDPR) permits users certain rights (referred to as “data subject access rights” or “DSARs” in the documentation) that organizations will need to be prepared to accommodate if they must comply with GDPR.
These rights are legally enforceable and aim to give users control of their personal information. These rights include…
- Right to be informed – Data controllers are required to provide information including contact details of key personnel involved in data processing/control, the purposes of data processing, and any recipients of personal data to data subjects when requested.
Data subjects are also required to be informed of their access rights.
- Right of access – Data subjects are able to ask controllers if their personal information is being processed. If it is, data subjects have the right to request access to the information being processed, including the purpose of processing, the information being processed, and the recipients of the information.
- Right to rectification – Data controllers must correct incorrect or incomplete information regarding a data subject “without undue delay” if requested by the data subject.
- Right to erasure – Article 17 allows data subjects the right to request deletion of their personal data if…
- The data isn’t necessary for processing.
- The data subject no longer consents to processing or objects to it.
- The data has been “unlawfully processed.”
- The data must be deleted for legal compliance.
- The data was “collected in relation to the offer of information society services.”
- Right to the restriction of processing – Article 18 allows data subjects the right to restrict processing of their personal data if…
- The data subject claims the personal data the controller possesses is inaccurate.
- “The processing is unlawful.”
- The data is no longer necessary for processing.
- The data subject objects to processing—and the objection is found to be legitimate.
After processing is restricted, data subjects’ personal data may only be processed under certain conditions or when the data subject consents to processing.
- Right to data portability – Data subjects have the right to receive their own personal data “in a structured, commonly used and machine-readable format,” as well as the right to transfer this data to another controller.
- Right to object – Data subjects have the right to object to the processing of their data.
- Rights relating to automated individual decision making, including profiling – Data subjects “shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”
Without a clear understanding of DSARs and how your organization will respond, you may risk consuming too much time, money, and resources in efforts to remain compliant.
Regardless whether you’re a controller or processor, you’ll have to respond to these requests to remain compliant. Here are six considerations on how to prepare and respond when a customer chooses to request action on one of their new rights under GDPR:
1. Locating personal data is imperative.
The GDPR defines personal data as “any information relating to an identified or identifiable natural person.”
Understanding what information your organization retains that may fall under that definition and where that information resides on your network and systems is not only a critical step to compliance under GDPR but also being able to respond to a data subject request.
The GDPR specifies that requests must be responded to “within one month of receipt of the request.” To meet this timeframe, you must first know where that data resides.
2. Provide a clear mechanism for requests.
Providing a simple, clear, and/or automated method for users to request and receive information on their request will not only keep you compliant, but it will also simplify the request process to require a minimum of personnel involvement.
At a basic level, this could include a clearly-displayed email address on your site through which data subjects can send access requests. Another option is a form on your company’s site that includes all the required information you will need to process the request, i.e., contact information, validation credentials, and information being requested.
Regardless which method you choose, remember that the GDPR mandates a 30-day timeframe for a response to these requests. So, favor expedient methods or digital communication over traditional mail or slower communication wherever possible.
Finally, designate appropriate personnel to identify and manage the lifecycle of DSARs to ensure completion of every request within the 30-day timeframe.
3. Implement processes to verify user identity.
Article 12 permits that “where the controller [or processor] has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller [or processor] may request the provision of additional information necessary to confirm the identity of the data subject.”
Ensure you have mechanisms in place to confidently verify user identity before providing any requested information. This could include requiring requesters to answer security questions, provide other identifiers related to their account, or even sending a confirmation text message to the phone number associated with the data subject.
4. Collaboration between departments will be necessary.
Compliance with DSARs will require cooperation between all departments. The IT Department may be unaware of certain data locations or of specific types of data processed or stored by each department. By working collaboratively, all departments can be sure they are pulling their weight, and those in leadership positions can rest assured they’re not leaving any gaps in the process.
5. Define and document the process as much as possible.
Like any compliance framework or regulation, the GDPR will require implementation of formal processes to accomplish compliance.
Article 24 requires that “…the controller [and processor] shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.”
While you may be tempted to wait until the GDPR goes into effect to define and document these processes, we recommend you begin immediately. You might try to respond to requests on an ad-hoc basis, but documenting the process beforehand will enable you to demonstrate that processing is performed in a compliant manner and simplify the process as much as possible.
6. Perform quality assurance at the completion of the process.
The review process should be used to ensure the organization is providing the appropriate information to the requester and that no proprietary or irrelevant information is inadvertently released.
Before marking a request as “complete,” perform a review to ensure that the data subject’s request has been met. This will differ between different requests.
For example, if the request was the erasure of personal data, you might perform a final database search to ensure that no personal information of the requester remains.
If the request was a release of personal data to the data subject, you may review the information being released to ensure that no proprietary data or personal data of other data subjects is included and that the personal data released is in “a structured, commonly used and machine-readable format…”
Or, if the request is the restriction of processing or objection to processing, you’ll need to ensure you have implemented processes to prevent processing at all points in the data flow for that particular data subject.
Seamless compliance with the GDPR requires more than a rote implementation of processes. It requires analysis of current processes and conscious implementation and documentation of new ones.
Contact us today, and we’ll guide you through GDPR compliance, helping your organization create processes that not only promote compliance but simplicity as well.