Data subject rights: are you an open book?
One of the important "control mechanisms" for GDPR compliance is the fact that data subjects can practice certain rights. These rights not only ensure that data subjects remain in control of their personal data, but they also act as an important check for your organization. Can you respond adequately to a data subject's request? Do you have a quick overview of the personal data the data subject requests? Do you know which systems contain these personal data? In short, it’s time to be an open book!
In practice, it can be difficult to respond adequately to a data subject's request for various reasons, such as a high workload. As a result, the request is not handled entirely according to the rules prescribed by the GDPR. For what reasons can handling a data subject's request go wrong?
First of all, it appears to be firmly difficult to meet the deadline for handling, which is at least within 1 month. This can occur because the request is not immediately recognized as a request under the GDPR and is not timely forwarded to the Privacy Officer or Data Protection Officer. The extension period of another 2 months can only be used for complex requests. Therefore, falling back on this possibility is often not an option.
Second, there may also be discussion as to the nature of the request; often a single request appears to cover several rights. For example, it happens that the request for access to personal data is combined with the request for erasure. Sometimes only one of the two requests is then dealt with, which is not only contrary to the GDPR but also causes great annoyance with the data subject.
Third, more than just the relevant information is often shared with the data subject requesting access. The reaction to a request for access to personal data is sometimes sending an entire file while the data subject only asks for specific information. In the worst case, the file is not anonymized, violating the rights of others (e.g., one's own employees).
To sum up, handling the rights of data subjects is no easy task. Therefore, these are four important tips for properly handling the requests of data subjects:
Tip 1: Set up a clear process for handling data subject requests
Ensure that a request is always handled according to a set procedure. This ensures, on the one hand, that the applicable deadline is met and, on the other hand, that the correct steps are followed and nothing is forgotten. Another important point is that this procedure is also known throughout the organization and employees know by whom and in what way a request should be handled.
Tip 2: Make sure employees are familiar with data subjects' rights (in outline)
Ensure that your own employees are familiar with the rights of data subjects. This can be done, for example, by addressing this during work consultations. It is best to do this based on a specific request. Make a case of it and discuss it. Of course, not all employees need to know all the different rights in detail, but it is important that they can recognize when a request is made by a data subject. Then they can immediately forward it to the Privacy Officer or Data Protection Officer.
Tip 3: Secure a substantive review of incoming requests
Make sure the person reviewing the request is well versed in the specific terms of each type of right. After all, there are different requirements for each request, so it is important to make a good assessment of whether data subjects may actually exercise their right based on the GDPR. Indeed, there may be reasons to reject a request. For example, if a request infringes on the rights and freedoms of others. So be alert to this.
Tip 4: Always contact the data subject!
As soon as possible after receiving the request, make sure you contact the data subject. First of all, this is beneficial for the relationship with the data subject. You show that you take him seriously and that you are adequately addressing the request. Second, it can save a lot of work. Ask the individual what exactly he expects. What information is important to him? This prevents you from sending far too much or too little. Make clear what type of request is involved, if that is not entirely clear. This ensures that there is no misunderstanding and mutual expectations are clear.
Want a quick overview of data subjects' rights and applicable requirements? Then download the new version of the GDPR Toolkit App below now (only in Dutch). In it you will find a clear overview of the rights and get handy references to practical information about the various rights.