The European privacy regulation GDPR has now been in force for more than one year. When you process personal data, the law now grants the people whose data you are processing, the data subjects, a number of rights. You have to provide them with a way to exercise those rights, and you have to respond to such requests in a timely matter – and no later than 30 days after receiving the request. Here are some of the things you will heave to comply with in most cases:
- Grant access to the data you have stored about the data subject
- A request to make a correction in the data you have about them
- A request to delete the data
You can read more about the rights individuals have to decide how you use their personal data in our post https://cybehave.no/2019/07/07/privacy-isnt-about-secrecy-it-is-about-human-rights/.
Dealing with a request
When receiving a request from someone whose data you are processing, you have to take care of 2 things:
- Respond to the request
- Document that the request has been resolved in accordance with requirements (privacy, security, speed of response)
We can summarize this process in a simple workflow.
Each of the four phases in treating a request has its own challenges that need to be managed in terms of performance, privacy and security.
- Receive: you need a secure way for the data subject to contact you with the request. Many are using email for this. If the request itself contains sensitive information this can be a problem because most email is not encrypted in transit. It can also become a performance issue due to lack of standardization of the input format leading to unclear requests requiring further clarifications before the request can be treated. Email also has the problem of spam, and privacy inboxes (addresses like firstname.lastname@example.org) tend to receive a lot of spam. Logging of the time for receiving the request is necessary for compliance tracking.
- Acknowledge: the data subject needs to get a confirmation that the request has been received, and when and how to expect a response. The request should also be classified to make it easer to treat for the privacy team (is it an access request, a deletion request, or something else? What product or project does it relate to?) . Sometimes data subjects will submit requests from one-time email addresses, or they may not define in clear terms what they are asking for. In this case, asking for more information will be necessary before acknowledgint the request. When acknowledging, the response must be sent and the time must be logged. The deadline of 30 days is now running. If you do not acknowledge, the deadline runs from the time the data subject sent the request – which can be challenging if it is drowning in spam in the privacy inbox.
- Analyze: in this phase the privacy team has to decide if the data subject’s request is in line with the rights under the GDPR and the legal ground for performing the processing in the first place. Then the data has to be located and a response prepared. Actions taken should be logged for compliance (who, when, what). Often it can be challenging locating the data, especially if it is not clear which products or projects the data has been processed in relation to.
- Resolve: the analysis has been concluded and the datasubject is notified. This has to be logged. For compliance reasons, it is best if there is a confirmation that the resolution has been received by the data subject but this can be difficult to achieve.
DSAR Management Risks
There are several risks to take note of here:
- Requests may be overlooked because of too much spam, or may not reach the privacy team if caught in a spam filter.
- Data leaks may occur due to insecure communication channels, such as email (depending the email servers of both sender and receiver)
- Extra work will likely be needed for clarifications because the requests themselves are unclear. If not handled in a good way this may lead to delays, or misunderstandings.
- Lack of compliance proof can make it hard to show that DSAR responses are in accordance with requirements. A single accusation or an audit can cause significant costs if proof is lacking.
All these risks could be considered a breach of the GDPR. Managing the DSAR process itself is thus an important part of compliance.
PrivacyBox: The Cybehave Antidote to DSAR Chaos
To help streamline the DSAR management process, Cybehave has created a simple SaaS solution that ensures requests are well specified, that there is virtually no spam and compliance logging is automatic. Read more about our solution here: PrivacyBox.
Sign up to receive our irregular but interesting newsletter here:
Don’t worry, we won’t spam you and you can unsubscribe any time you want.