Data Subject Access Requests
As DPOs, enabling individuals to find out what personal data an organisation holds about them, why it holds it and who it is disclosed to, is not only fundamental to good information-handling practice, it is the law. While a person has always had the right to request this information, the widespread publicity surrounding GDPR in the run up to and since its implementation, means that people are not only more aware of their rights, they are more likely to exercise them.
For many organisations, this has led to a significant increase in the number of subject access requests (SARs) they are required to handle.
There could be many reasons for a SAR, from individuals having a legitimate complaint, to concerns about data privacy, to simple curiosity about how the data is being used. GDPR also removed the option for organisations to charge for a SAR (unless it is particularly complex or excessive) which means there is less of a barrier to an individual submitting a request.
These can present a significant operational burden on any organisation, large or small. For consultants working with multiple businesses with differing needs, it is important that they are able advise their clients on how to both prepare for and deal with SARs in a timely manner.
However, as DPOs ourselves, who have dealt with many SARs, we also believe that the effective management of requests should not purely be seen as an operational burden. As such, we’ve outlined our top tips on both managing SARs, as well as how they can be an opportunity to help drive cultural and technical change within an organisation.
1. Communicate effectively
The key to successful SAR management is having a robust, easy-to-follow process that’s easy to find and well communicated through your privacy notice. This way, data subjects will be clear on how they put in a request, and the expected timescales in which they will receive a response.
Additionally, you should implement any available technical measures which enable the data subjects to retrieve their personal information themselves. We see organisations such as Facebook making good use of these functions.
2. Train frontline employees
We are major advocates in the importance of regular training, and have always stressed to our clients that data privacy compliance is not a one-time issue – it should be a long-term strategy.
This is the same when dealing with SARs. All frontline employees should be trained on the rights data subjects have, and how they may approach an organisation to exercise them. Sometimes, SARs can be missed if a staff member didn’t realise that a request was being made.
3. Act quickly
Under GDPR, an organisation has 30 days to respond to a SAR - which means time is of the essence. There are several ways to avoid delays:
- Know where your data is – GDPR requires larger organisations to have a record of processing activities (ROPA), so use it! The most time-consuming and labour-intensive part of responding to a SAR is gathering the requested data, which can vary depending on the nature of the request
- Have a team with clearly defined roles and responsibilities, so tasks can be delegated and actioned quickly
- Know the law, and seek in house or external legal counsel if required – there are areas where exemptions can be used to restrict access to certain types of data.
4. It pays to talk
As mentioned, there can be several reasons why a person submits a SAR. However, generally, people don’t do it because they are happy – in most cases, it is in response to a particular issue. Talking to the person in question can not only help define the parameters of the request – which will help reduce the work involved in responding to it – it could also help address any grievance and negate the need for the SAR in the first place.
5. Use your insights to spearhead change
While the priority should obviously be responding to a SAR in a thorough and timely way, an organisation should make time to use and analyse their SAR patterns. For example, what kind of information is being requested on a regular basis? Are there any particular trends when it comes to grievances?
This insight can be used to drive cultural change, and help reduce the number and types of SARs that are occurring.
6. Invest in software
Depending on the complexity of the request, responding to a SAR can be a time-consuming process. This is even more of an issue for consultants managing multiple SARs for multiple clients at any one time.
The advances in digital technology to streamline processes means that significant efficiencies can be made by investing in software to help manage SARs. That one of the main reasons why we developed The Compliance Space – as a platform to help consultants to significantly reduce the administrative burden of GDPR.
Our Organisation Manager function is a live dashboard that allows a consultant to easily track the progress towards GDPR compliance for all clients. It also provides a way to keep track of – and respond to - any queries, such as SARs, driving efficiencies and providing data to help spearhead organisational change.
For more information on how The Compliance Space can help your organisation better manage DSARs, or to book a demo, contact us at https://www.thecompliancespace.com/book-a-demo