How to answer a GDPR data subject request in 6 steps

So you have just received an e-mail with the title “Delete all my data!”, or “Send me everything you know about me!”. After the initial shock, you will have to soon realise, that what you are now faced with is most probably a data subject request under the framework of the new General Data Protection Regulation.

The EU’s new Regulation, which has an enormous scope of applicability and tons of new obligations for data controllers, gives the data subjects extraordinary new rights, that allow them to exercise new rights that are quite timely in today’s digital age. So let’s see what you should do when you receive such an e-mail!



1. Realise that you received a Subject Request


Requests can come in any form: they will most probably take the shape of an e-mail, a phone call or a letter. However, your company should also have the necessary procedures for handling a request that is submitted personally, for example in your store or offices. A request may be a Right of Access (GDPR Article 15); Right to Rectification or Right to Erasure (GDPR Article 16 & 17); Right to restriction of processing (GDPR Article 18); Right to Data Portability (GDPR Article 20) or a Right to Object (GDPR Article 21). The request you received will probably not be titled as these rights above. It is important therefore to communicate with the data subject: this is the safest way for you as a data controller to be absolutely sure about the nature and scope of the request itself. And it also makes a very nice impression to and builds the trust of the data subject!



2. Be able to verify the identity of the data subject 

After you have established that you received a subject request in the terms of the GDPR, you have to verify that the person submitting the request is indeed person he/she claims to be. The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. The most commonly used method is to verify the data subject’s e-mail address. If he/she has access to the account that is registered to you systems, you can be quite sure that you are not dealing with an impostor. A very effective way of making sure is called knowledge based verification. This means, that you ask a certain set of questions, that only those can answer, who own the information you process about them. This could be as simple as asking “When did you last sign-in to our system” or “What was the last playlist you listened to on the service?”.



3. Have a thorough process in place for the completion of the request

This is a very important one. 

Article 12 (3) GDPR sets forth that the controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. What this basically means, is that you have to answer ASAP. And in order to do that, you must be ready for the time when requests come knocking on your door. You should designate a first responder, who will handle the verification of the data subject and the initial communication. Once verified, you will have to gather all information regarding the concerned person (in the case of an access request) and compile it in a clear and easy to understand format, and send it back to the data subject. You have to be able to do this in 30 days, regardless of whether you receive 1 request a month or a hundred. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. Also, it is imperative to keep a record of all actions taken during the response.


4. Be able to gather all the necessary information



You have multiple databases. You store data in ten different formats. You even store personal data on papers in your safe. And yes, you will have to search them all. This is probably the hardest part of the process: you need to be able to gather all the necessary information that the data subject requests. This is of course the most relevant in the case of Subject Access Requests (‘SAR’). Article 15 GDPR sets forth the various information that you have to provide upon such a request. Most importantly the data subject has the right to access “the personal data (…) that is processed by the data controller and the following information: (…)”. You should always keep in mind that the data subject can always look up your privacy policy and check whether or not you provided all the information that you claim to be processing according to your policy. That is why it is a good idea to check, whether you fulfilled all the requirements of the GDPR regarding the content of such answer.


5. Provide the information in an easy to understand format


The principle of transparency requires that any information and communication relating to the processing of personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. You may also use graphical tools to make the information more understandable. When the request is made electronically, it is required that the answer be also submitted electronically. Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data, for example through a Data Subject Access Portal, that is available in Revealu Business.


6. Fulfill the request within the deadline


If you have followed all the above steps, you should now be able to fulfil any request that should be addressed to you as a data controller within the legal deadline.

The most important take-away from this article is to be prepared. You need to think ahead and prepare for a time when data consciousness will be standard. In the following decades, the processing of personal data will be tightly controlled not only be regulators, but also by the users themselves. If you commit one tiny mistake and suffer a data breach or any kind of incident involving the loss of personal data, the wrath of your users will most probably come in the form of Subject Access Requests.

Try out the future of GDPR request management by signing up to our automated, digital solution Revealu Business. Set up your customer portal in a matter of minutes and project trust to your customers. Do it right once, be compliant forever.



Are you ready to supercharge
your compliance efforts with Revealu?

Add a Comment

Your email address will not be published. Required fields are marked *