GDPR Deadline to Bring Data Subject Access Requests

Are you ready for the start of the Data Subject Access Requests? The next evolution of the GDPR compliance journey starts next week!

The two year implementation period for the EU General Data Protection Regulation will expire this week. Much of the focus around the May 25, 2018 deadline so far has been on the potential for enforcement actions by the data protection authorities exercising their newfound authorization to fine companies the higher of 20 million Euros or 4% of global annual revenue.

However, the bigger challenge for many companies in the next few months could be the data subject access rights. A survey by Deloitte found that the second greatest challenge for GDPR compliance was the right to erasure. Companies over the next month or two will quickly learn whether their preparations for data subject access requests (also referred to as DSARs) have been sufficient.

Broadly, the United Kingdom Information Commissioner’s Office (ICO) lists the following eight data subject rights from the GDPR:

1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling.

Of these, the rights of access, erasure and data portability are usually the biggest problems. Most companies compile data about individuals over time and that information can be found in both structured and unstructured data. In order to access, delete or export the data, they then need to track it down in multiple places.

If all incoming information is stored electronically and tagged with an identifier, then it is possible to subsequently identify all of the information provided by a specific person. If the system was not built to tag data in that fashion, it becomes much harder.

Personal data also needs to be tracked as it moves through the company in order to exercise the right to erasure. If user information is exported by a company employee into an excel spreadsheet to produce a report, the data in that report also needs to be eliminated upon an individual’s request to be forgotten.

The result of this system is that there needs to be either a program to execute the deletion command or a manual process where an employee goes through the appropriate databases and records to delete the necessary information.

Both systems require the organization to put in the work to produce a data map of all of the places that their user information can be found. The programmatic solution requires the upfront creation of software to execute the search and deletion. The manual solution requires sufficient staff who have been trained to go through the process for all of the requests that are made to the company. However, if there are more than a handful of requests, the manual process could get complex and more expensive in the long run.

Under both systems, there needs to also be the ability to execute a verification process to ensure that the procedure did actually end up deleting all of the user data.

No one has any idea how many consumers will ultimately decide to exercise their right of access or right to erasure. There have been a few comments in forums where people discussing the GDPR expressed eagerness to exercise these rights. However, most companies will find out in the next week or two whether EU citizens (and others) are going to start exercising their new rights and whether the companies have adequately prepared.

A Reuters article published yesterday discusses an organization that has recruited 20,000 volunteers to ask for their personal data at a German personal credit rating agency and contribute it to the activist organization. If the credit rating agency had been planning for GDPR compliance through a manual process, the story should be a wake up call that they need to put in place an automated solution fast.

Is your solution to the access and erasure rights ready for stand up to 20,000 people using it?
The answer is likely no if you are using a manual process.

The solution is to implement the Clarip GDPR software with the consent management tool and the Privacy Center for Humans (TM). By tagging data as it comes into your organization and accessing it within your organization via the Clarip API, the data can be tracked later throughout your organization electronically. The Privacy Center for Humans (TM) is a DSAR Portal that allows users to submit data subject access requests to exercise their rights, and then permits your employees to gather or delete the personal data needed to fulfill the request.

Discover the Benefits of Privacy Management Software with Clarip

The Clarip data privacy software and team are available to help improve privacy and trust at your organization. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.

If you are working towards GDPR compliance, try our modular GDPR software. Start with our automated GDPR data mapping software, enhance your privacy program with DPIA software, and meet ePrivacy requirements with the cookie consent manager.

If CCPA compliance in 2020 is on your radar, ask us about our California Consumer Privacy Act software. Improve efficiency of responses to data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with our consent software.

Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.

More Blog Posts About Data Subject Rights:

Privacy Risks Emerge in DSAR Responses by Businesses
Survey: Majority of UK Consumers will Exercise Data Subject Access Rights in Next Year
Forrester: People Care about Data Privacy More Than Ever Before