Data subject access requests have been on privacy professionals' radar since the EU General Data Protection Regulation was passed. Plenty of technology solutions were created to help organizations handle those requests once they started pouring in.

Despite year one of the GDPR coming to a close, there's still a lot for privacy professionals to learn, especially as they wait for regulators to make their moves. That was according to speakers at an active learning session at the IAPP Global Privacy Summit in Washington recently.

The panel featured Colleary & Co Principal and Founder, Pembroke Privacy Director of Data Protection and the IAPP’s Country Leader for Ireland Kate Colleary, CIPP/E, Panetta & Associati Managing Partner and the IAPP’s Country Leader for Italy Rocco Panetta, CIPP/E and Fieldfisher Partner, Head of Privacy, Security and Information Hazel Grant, CIPP/E.

An essential component to staying out of regulators' crosshairs is complying with DSAR time requirements. Organizations must respond to a DSAR within one month of receiving it, and while an extension can be granted under certain circumstances, Colleary said companies should exercise caution in asking for one. 

The Irish Data Protection Commission, for example, will take a “dim view” toward organizations that continuously ask to extend DSAR deadlines. She said an extension should be asked for only in instances such as when the volume of requests is too much to handle. Should regulators begin to receive complaints about a company’s responses to the requests, Colleary said it might raise “red flags” that their processes are not up to muster.

That is not to say entities should rush to fill out the requests as soon as possible.

“You need to really read the request really carefully, pore over it,” Grant said. “If you have the time, you should think about it.”

Reading over the inquiries thoroughly is important in determining whether the information falls within the scope of the request. Grant said regulators look to see organizations do just that. In addition, communication is an important aspect of responding to requests, and privacy professionals would be wise not to let them fall by the wayside.

“My advice is to respond to the request. Let them know you have it,” Grant said. “If it is really complicated, drip out the answers. Take your time with it. That is going to look better to a regulator than running away, putting your head in the sand and ignoring it.”

Colleary offered a similar sentiment.

“To avoid trouble down the road, engage with the data subject and show that you have a process in place,” Colleary said. “Sending a receipt that says you received the request shows you have a good process in place. Silence up until day 29 or 30 and then blasting a subject with only part of the information isn’t going to work.”

Another way to avoid trouble down the road is for organizations to keep track of their DSAR processes in case regulators decide to conduct an audit. Grant said companies are not perfect and will make mistakes; however, it is important for an entity to show regulators all of the requests it has been able to fulfill in the event even one is not properly executed.

“Having some sort of audit of how your process works, and the outcome of the process, is important,” Grant said. “It’s important because under GDPR you are meant to be accountable. Think about your accountability record and get it in place now, because it will pay dividends in the future.”

Gray areas 

As with many parts of GDPR compliance, there are still gray areas around DSARs — for example, identifying whether an inquiry is a legitimate one. As Grant said during the session, the magic words “data subject access requests” are necessarily not going to appear in the message.

Adding to the complexity is that there is a chance the information sought out by a subject will be used in a lawsuit against the company fulfilling the request. Panetta said it is important for whatever department handles the probes to be staffed by individuals who not only respond to DSARs in a timely manner, but also can do their best to sort out bogus requests sent by people “abusing the exercise of this right.”

The conversation may have focused on the GDPR here, but chatter around data subject access rights more broadly is not going to quiet down any time soon. With the countdown to the California Consumer Privacy Act shrinking by the day, and other privacy laws surely to pop up globally, organizations will have to lock down their DSAR processes sooner rather than later.