So you have just received an e-mail with the title “Delete all my data!”, or “Send me everything you know about me!”. After the initial shock, you will have to soon realise, that what you are now faced with is most probably a data subject request under the framework of the new General Data Protection Regulation.
The EU’s new Regulation, which has an enormous scope of applicability and tons of new obligations for data controllers, gives the data subjects extraordinary new rights, that allow them to exercise new rights that are quite timely in today’s digital age. So let’s see what you should do when you receive such an e-mail!
1. Realise that you received a Subject Request
Requests can come in any form: they will most probably take the shape of an e-mail, a phone call or a letter. However, your company should also have the necessary procedures for handling a request that is submitted personally, for example in your store or offices. A request may be a Right of Access (GDPR Article 15); Right to Rectification or Right to Erasure (GDPR Article 16 & 17); Right to restriction of processing (GDPR Article 18); Right to Data Portability (GDPR Article 20) or a Right to Object (GDPR Article 21). The request you received will probably not be titled as these rights above. It is important therefore to communicate with the data subject: this is the safest way for you as a data controller to be absolutely sure about the nature and scope of the request itself. And it also makes a very nice impression to and builds the trust of the data subject!
2. Be able to verify the identity of the data subject
After you have established that you received a subject request in the terms of the GDPR, you have to verify that the person submitting the request is indeed person he/she claims to be. The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. The most commonly used method is to verify the data subject’s e-mail address. If he/she has access to the account that is registered to you systems, you can be quite sure that you are not dealing with an impostor. A very effective way of making sure is called knowledge based verification. This means, that you ask a certain set of questions, that only those can answer, who own the information you process about them. This could be as simple as asking “When did you last sign-in to our system” or “What was the last playlist you listened to on the service?”.
3. Have a thorough process in place for the completion of the request
This is a very important one.
Article 12 (3) GDPR sets forth that the controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. What this basically means, is that you have to answer ASAP. And in order to do that, you must be ready for the time when requests come knocking on your door. You should designate a first responder, who will handle the verification of the data subject and the initial communication. Once verified, you will have to gather all information regarding the concerned person (in the case of an access request) and compile it in a clear and easy to understand format, and send it back to the data subject. You have to be able to do this in 30 days, regardless of whether you receive 1 request a month or a hundred. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. Also, it is imperative to keep a record of all actions taken during the response.
4. Be able to gather all the necessary information
5. Provide the information in an easy to understand format
The principle of transparency requires that any information and communication relating to the processing of personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. You may also use graphical tools to make the information more understandable. When the request is made electronically, it is required that the answer be also submitted electronically. Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data, for example through a Data Subject Access Portal, that is available in Revealu Business.
6. Fulfill the request within the deadline
If you have followed all the above steps, you should now be able to fulfil any request that should be addressed to you as a data controller within the legal deadline.
The most important take-away from this article is to be prepared. You need to think ahead and prepare for a time when data consciousness will be standard. In the following decades, the processing of personal data will be tightly controlled not only be regulators, but also by the users themselves. If you commit one tiny mistake and suffer a data breach or any kind of incident involving the loss of personal data, the wrath of your users will most probably come in the form of Subject Access Requests.
Try out the future of GDPR request management by signing up to our automated, digital solution Revealu Business. Set up your customer portal in a matter of minutes and project trust to your customers. Do it right once, be compliant forever.