In my latest post, I outlined the process involved in the actual response to DSAR requests. In my last article of this series, I will discuss the best practices and workflows that your organization should follow when responding to DSAR requests.
Generally, “controllers” are responsible for responding to DSARs, and “processors” assist them in handling the requests. Here are my recommendations for best practices in responding to DSARs to ensure General Data Protection Regulation (GDPR) compliance:
Review and Update Privacy Notices and Policies
The GDPR requires organizations to inform data subjects of their rights. Companies need to make sure that their existing policies comply with the new entitlements given to data subjects by the law, including the right to:
- Obtain certain information from the controller beforehand, and without asking for it
- Be made aware of whether a controller is processing their data and how it was collected
- Request that inaccurate personal data about them be rectified, with communication regarding the rectification made to each recipient of the data
- Demand that their personal data be erased and no longer processed (right to be forgotten)
- Ask the controller to restrict the processing of their data
- Receive their data in a structure, commonly-used format for transmission elsewhere (data portability)
- Object to the handling of their data at any time (in certain circumstances)
- Not be subject to decisions based solely on automated processing
- Withdraw consent at any time during processing
In certain circumstances, EU member states may pass legislation to limit DSAR requests under local law. One example of this is the UK’s Data Protection Act of 2018.
Create and Implement a DSAR Process
Your company needs to have a process in place to address:
- How you will enable DSARs, e.g., offering a standardized online form for submission
- What those who receive DSARs will be required to do
- How requests to obtain or delete data will be processed
- How to efficiently and securely handle responses to the data subject
According to the GDPR, controllers must demonstrate compliance with the law and monitor the requests received. This should be done by tracking how many DSAR requests are made each month, how many requests are being accepted and rejected, and prioritizing the oldest requests to ensure that a response is made within one month, as required by law. Monitoring your process will allow you to revise it if necessary, allocate the appropriate amount of resources, and identify any gaps in your workflow.
Weigh Your Options for Hosting and Automation
You will need to consider your hosting options for providing the data to the requestor: either in-house servers hosted behind the organization’s firewalls, or externally through the use of a communication portal.
Automation can often be seamlessly integrated into your internal systems, and can be extremely helpful in the handling of DSARs by ensuring that:
- Critical deadlines are met
- Requests are verified
- Data exempt from disclosure requirements is identified
- Assignments to facilitate responses are made
- Extensions are requested promptly
- You are tracking your response process
Freeing up your team from manually tracking and storing data will increase efficiency, cut operational overhead, enable a more accurate response, and prevent your organization from wasting time on inauthentic DSAR requests.
One of your biggest challenges will probably be how to train critical employees. Those requiring training will likely include:
- Support personnel and other employees who receive the requests
- Those who will be responsible for implementing the requests
- Your internal privacy team<
To minimize the risk of costly sanctions for noncompliance, your staff will need to understand the importance of prompt response to a DSAR request.