Data Subject Access Requests. While working with various companies on their GDPR compliance, one thing that has become clear to me is that while many people realize that there are significant security and legal concerns, an oft-forgotten aspect of their preparations is making sure that their people understand Data Subject Access Requests and know how to appropriately deal with them.
Just what exactly are these Data Subject Access Requests?
The definition of valid access requests is quite broad under the GDPR and, in fact, is expanded over what was previously required by the Data Protection Directive. The GDPR, as opposed to the Directive, does not specifically require that an access request be made in written form, or contain any specific 'formal access request' language. Also, when a request is received in electronic form, it should be responded to in a "commonly used electronic format" (think email). Companies no longer have the ability to fine (at least the initial) requests, and need to comply with the request within just 30 days. The implications of this are that these requests might be made to any employee at your organization via any means. That can be daunting to try and control such a wide cast net, but with some training for your customer-facing personnel, can be overcome.
What do I mean by 'Biggest Concern'?
Access request complaints currently top the list with EU Data Protection Authorities.
According to the UK's independent Information Commissioner's Office (ICO) official statistics, the number one complaint received by their offices is the mishandling of data subject access requests. Several DPA offices are indicating that there has been a significant increase in data subject access
request complaints submitted in the years leading up to GDPR and many are predicting
a massive jump after the May 25th deadline. According to the Irish access request concerns currently account for over 50% of all complaints and, by just August 2017 the total number had already eclipsed the amount from all of 2016. Lack of preparation in organizations ability to properly handle requests has been cited as a primary point of concern.
Data Subject complaints bring the wrong sort of attention.
A likely way for your company to get on the radar of a Data Protection Authority would be to mishandle an access request. Unless you're Google or Facebook, it's not very likely that you are necessarily going to immediately find yourself at the center of any bullseye when it comes to regulators looking to impose fines, but the more alarm bells you set off by having complaints broght against you, the closer to the center of that target you're likely to move.
The massive 4% of global revenue fines are getting a lot of attention, but there is just not going to be the capacity for EU Member authorities to scan every company for non-compliance without some help from the general population. Much like Mark Zuckerburg explained in his testimony regarding flagging inappropriate user content for further investigation, fumbling an access request and causing a complaint is probably a sure way to get some unwanted attention from Data Protection Authorities.
There is strong advocacy for EU data subjects.
If you are just hoping for ignorance on the part of protected Data Subjects, you should know that there are many groups out there to help data subjects understand and exercise their rights and it's important to realize that under the GDPR an individual can actually transfer their rights to a separate party to request access and exercise rights on their behalf.
People will become more familiar with their rights and the process of pulling that lever to protect their data as needed. Also, with each request your company receives, you are required by GDPR to inform Data Subjects of their rights just in case they aren't already fully aware. Data Subject Access Requests or DSARs might possibly be the most important aspect of GDPR preparations if you consider the exposure to risk that they actually represent in terms of numbers of opportunities for problems to arise regarding your compliance.
EU individuals actually have more than one avenue for recourse under the GDPR. Shown here from the European Commission website is a very simple flowchart showing two paths, neither of which would be one that you never want a Data Subject to take in regards to your company.
What do I mean by 'not enough people talking about this'?
Two thoughts: There are not enough industry experts weighing in and not enough customer-facing employees (the ones who will actually get these requests) who fully understand the exposure of GDPR Access Requests and what should be done to prepare for compliance.
Industry professionals in executive, legal, security, or IT roles have had to be living under a rock to not hear at least the cry of alarm regarding the massive GDPR compliance penalties. While there has been plenty of hand wringing about the fines and the increased workload in security and legal paperwork. In many cases, not much of that concern is spilling over to other parts of the company to groups that should also be involved. These are your sales, customer success, support and even HR teams. I'd not be surprised many of the people who will likely be the ones receiving access requests could not even venture a guess at what the GDPR acronym might stand for, let alone what it means for them in their role. This is a problem you don't want your organization to have.
While the new regulation certainly should concern the obvious parties, thinking through the logistics of a Data Subject Access Request should lead one to realize that there may be some not so obvious parties to involve, inform and instruct. If you aren't fully confident that every front-lines employee (think anybody talking to customers) could recognize a DSAR when they saw one and be able to respond appropriately, you may have yet another thing to keep you up at nights, and if left unresolved could be the first step in raising the suspicions of a Data Protection Authority.
What is the best course of action for GDPR Access Requests?
A disciplined regimen of personnel training and process testing, then train and test again.
In regards to Security of Processing Article 32 of the GDPR section 1-d recommends:
'...a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.'
This same approach can be used for strengthening your communications process and ensuring that no alarm bells ever go off along your longest exposed border with your data subjects (aka customers, partners, and employees). Straight from the UK Information Commisioner's Office:
'User testing is a good way to get feedback on how effective the delivery of your privacy information is.'
AppGlo can help you with your GDPR Compliance Assurance, process testing, and continuous improvement. Get in touch to find out how this will best fit the needs of your company.
