The EU General Data Protection Regulation provides individuals with a variety of rights to enforce against organizations that are processing their personal data. These rights allow individuals to have control over and place limits on the collection, use and disclosure of their data.
Specifically, under the GDPR, data controllers have obligations regarding these rights, and processors must assist the controllers with the fulfillment of those obligations. Of course, handling data-subject requests is not only about compliance, but it is also an opportunity to improve customer relations, service delivery and reputation.
The following are some considerations for organizations to take into account when thinking about how best to operationalize requirements related to the data subject rights found in Articles 12–22.
Operational considerations
Identify what you already have
As with any new undertaking, the common place to start is to identify what you already have. To properly handle requests, knowledge of the personal data being processed and of any current policies or procedures around handling requests should be reviewed. It is also important to ensure that personal data about a particular individual is accessible and easy to find. Moreover, personal data does not need to be retained for the purpose of being able to respond to a potential access request in the future. Therefore, implementing data retention policies and regularly deleting data that is no longer needed will be powerful tools for managing request workloads while also respecting privacy and demonstrating compliance with other requirements of the GDPR.
Determine what you need
After identifying what you have, the next step is to determine what you need. In terms of compliance with the GDPR, this will likely mean performing a gap analysis to review existing program components against Articles 12–22 of the GDPR. For example, perhaps your current privacy notice is already presented in a concise, transparent, intelligible and easily accessible form. In that case, it may just need to be enhanced to ensure that all of the specific requirements for content of the notice under Articles 13 and 14 are met.
It will also be important for organizations to determine where they are acting as a controller or processor of personal data on a given processing activity, to identify legal requirements as to data subject requests. Doing so can also help organizations to better prioritize, and in some cases limit, their work by first identifying their role.
Fill in the gaps
After identifying what you have, and determining what you need, the next step is to begin the work to either create or enhance your current data-subject request policies and procedures to address the requirements of the GDPR. For example, draft a step-by-step internal process or checklist for your business-users to follow when handling data subject requests. Ensure that the process is standardized enough so that employees know exactly what to do for each step along the way.
Identify triggers and embed processes
Identify what business teams are likely to receive data subject requests, and work with them to ensure that they understand your updated policies and procedures, and how to identify and handle requests. If these teams have existing tools that they use for other projects, consider leveraging these tools and methodologies as much as possible. For example, if your professional services team uses a CRM, think of ways in which you can increase efficiency by adding an API integration between that tool and the privacy management tool your team uses.
Keep business-users in mind
When building to address the requirements of the GDPR, it is imperative that you keep your business-users (the people who will be doing the bulk of the work) in mind. For example, if you plan to use a questionnaire for your business-users to fill out after receiving a data subject request, provide your users with multiple-choice answers to jog their memory, or a “not sure” option to reduce guessing and inaccurate responses.
Use thresholds
Not every request from data subjects will be valid, and some will not even trigger the GDPR. Try using threshold questions to weed out and triage requests, to ensure that work is prioritized according to complexity or to requests that carry more legal, business or reputational risk. Use of thresholds also helps with demonstrating to regulators and stakeholders that your organization takes a thoughtful approach to compliance.
Enable tequests
Also think about how you will facilitate the exercise of data-subject rights under the GDPR. Will you provide them with a link to an SFTP site where users can create login credentials and have secure communications with your organization regarding their request? Or, will you simply communicate via email? For employees, will you provide them with a link on your company intranet for submitting requests? Allowing users to submit requests from within an environment where they already have login credentials (e.g., a web or mobile app) can assist with verifying the identity of requesters.
The ability to redact data will also be important, as fulfilling data subject rights must not adversely affect the rights and freedoms of others, and thorough documentation will be paramount for demonstrating any rationale for refusing to act on a request.
Organize and manage requests
Next, think about how you will keep all of these requests organized in a queue, and who will manage that queue. Perhaps this is done by someone on the privacy team, or maybe you delegate this to your privacy champions. Queue management will be particularly important for meeting the strict timelines imposed by the GDPR. For this reason, it will be important to have the ability to categorize and filter requests by status (e.g., new, in progress, completed) and age.
Generate reports and metrics
The GDPR requires that organizations be able to demonstrate compliance, and therefore it will be important to keep evidence of requests, their fulfillment, or reasons for denial. This might include the data subject’s basic identifying information, details of their request, who handled the request and the outcome, as well as the time of responding. You may also need to keep copies of any internal or external correspondence as evidence of request fulfillment. However, in keeping with data minimization principles, you should only keep the minimum necessary to achieve these aims.
Request volume, average time of fulfillment or response, and number of requests per data subject can also be tracked to ensure continuous improvement of the request handling process.
For many U.S. organizations that will be subject to the GDPR, dealing with these requests and the legal requirements that accompany them will be a new experience. For these reasons, preparations will need to be made for when the floodgates open May 25, 2018.
photo credit: Research Data Management via photopin (license)