While Data Subject Requests (DSRs) are not a new concept, with the enforcement of the GDPR back in 2018 May, further guidelines have been introduced. With obligations becoming stricter and wider, as several additional requirements and exemptions were laid out by the EU privacy regulation, organisations often seem to be facing challenges in handling DSRs, primarily due to the complexity and time-consuming nature of the process. In this blog post, our privacy experts discuss the typical challenges organisations may face in addressing a request under each right, and provide guidance in finding solutions to these challenges.
Common organisational challenges under each right with regard to DSRs
The right to access
Under Article 15, the right of access intends to provide individuals with more control over their personal data. It does so by providing the possibility for individuals to know if an organisation is processing personal information about them, and request and obtain a copy of their personal data and other supplementary information processed by an organisation.
The GDPR does not specify what a request based on any of the data subject rights may contain, or via which medium it should be put forward. Since a request can be made to any employee/department within an organisation, training staff to be able to identify a request in time is therefore also necessary for organisations to duly consider.
Additionally, the GDPR doesn’t specify what method should be used in addressing a request for access. Without a detailed outline and strict format, it can become difficult in some cases to determine which personal data, being held and processed by an organisation, someone wants to view specifically. Since many organisations process and store large amounts of personal data, complying with the request might prove challenging if it’s not limited in scope. As a consequence, the process can become even lengthier than it would normally be, as further information about the request needs to be sought.
The right to data portability
Under Article 20, the right of portability allows individuals to request data either to store it for personal use or to transfer their personal data to another service provider. A concrete example for such a situation would be a patient of a private clinic in the Netherlands, who wants to use services of a clinic in Belgium. In this case, the person can request the clinic in the Netherlands to provide them with electronic files containing their personal information in a machine-readable and commonly structured format, to enable transmission of data to relevant health professionals in Belgium.
However, transferring personal data in the same, machine-readable format as the one used by another service provider might take heavy admin or manual work, posing again the issue of making the process lengthier. The lack of uniform standards for the ideal format to be used for this purpose across various sectors therefore can mean further issues for organisations.
The right to erasure
The right to erasure, also known as the right to be forgotten, allows an individual to have their personal data erased. According to the GDPR and the Dutch Data Protection Authority (AP), this right is applicable, e.g. in cases where data is no longer needed for the purpose for which it was collected, when consent is withdrawn, in case of objection to processing by the data subject, or when unlawfully processing personal data.
While the guidelines might be more specific for this right than for others, organisations may face the practical challenge of ensuring that such a request is completely catered to, as it requires the erasure of all copies of the data, links to the data, and that any digital backup of it, or data further shared with any third parties, are also erased. Complying fully with this obligation therefore requires a strict, formal, and efficient procedure in place, with an up-to-date data repository to track any use, sharing or storage of personal data. Otherwise, the deletion of copies or links to data could be a mammoth task for any organisation.
Right to restriction of processing
The GDPR also provides individuals with the right to restrict the use of their personal data by an organisation under Article 18, in case their information is incorrect, incomplete, no longer necessary for its purpose, or if the processing is deemed unlawful. The practical implementation of restriction to ongoing processing may pose a challenge for organisations since the identification of the request itself could easily be confused with the right to objection.
This can be problematic as both of the aforementioned rights can be exercised under their own specific conditions. While objection is always applicable when it concerns direct marketing, restriction is applicable only in certain circumstances. A recent discussion held by the EDPB with stakeholders also highlighted the need for guidance by the EDPB in regard to the right to restriction.
Processing could be restricted for a specific duration and requires organisations to have processes in place in order to inform any recipients of the personal data about the restriction of processing of data shared with them, and to inform the individuals once such a restriction is removed. The different methods of restriction, such as temporarily moving the data to another processing system or making the data unavailable to users requires extensive expertise and training of employees to be able handle the data carefully, and to cater to such a request. This can add to the administrative and financial burden for an organisation, as implementing the necessary means, tools, and training of personnel requires investment.
The right to object
Concerns have been raised by organisations regarding distinction between the right to object and the right to restrict processing or erasure, especially in the context of direct marketing. Data subjects are often confused about the meaning and scope of these rights resulting in unclear requests. Since objection is a near absolute right and always applicable in case of direct marketing, whereas restriction is not, the distinction is important.
The right not to be subject to automated-decision making, including profiling
The GDPR also provides individuals with the right not to be subject to automated decision-making or profiling. Where processing is done without human intervention, it becomes crucial for organisations to regularly check their applications and processing activities. Having procedures to provide individuals with information about such processing, introducing simpler methods of requesting human intervention, or carrying out regular checks to make sure that the systems do not lead to automated decisions shall require additional procedures as well.
The need to introduce new procedures to address such a request and ensure it is closed within the set time-frame can pose a challenge to organisations in the area of additional procedural work requiring trained personnel equipped to handle the requests. Any delay due to lack of a process in place can lead to non-compliance, therefore it’s crucial that organisations plan ahead and introduce efficiency-oriented procedures or tools to help take decisions accordingly.
Optimising the process and overcoming challenges
Responding to DSRs in practice is not an easy job - the practical implementation challenges faced by organisations in addressing and responding to DSRs requires companies to scale up their privacy management programs. Besides extensively training the employees responsible for addressing data subjects rights requests, introducing automation through compliance software could prove to be extremely helpful for DPOs and other privacy professionals in overcoming all challenges listed above.
That’s because a tool or software with integrated automation for privacy tasks can help organisations with shortening the amount of time spent on responding to requests, optimise the process, ease its complexity, and ensure the trust of their data subjects in the long run through timely and appropriate responses.
For instance, in the case of right of access, to overcome the challenge of having to spend time and resources on seeking out further information to identify what exactly a data subject is looking for due to lack of guidance, a compliance tool can be helpful through having a dedicated request form on an organisation’s website integrated with the software. It can help resolve any confusion around which personal data someone may wish to access through having all necessary information in a united format, customized to the DPOs needs. The process might then be streamlined further by being able to handle the request from within the same tool as well.
Pre-defined frameworks and automated workflows offered by such software will also come in very handy for all rights, showing what each request entails according to the GDPR, and having a centralized, continuously updated, automatic procedure in place. Furthermore, a duly blacked out identification document could be uploaded along with the request, to make the identity verification easier - assuring the document’s protection within the integrated software.
With all requests and related processings being stored in one, secure tool, responding to an erasure request will become significantly easier, as all associated data sources and recipients and their placement throughout the organisation’s data flow can be detected with a click of a button.
In case request information and personal data is stored in a consistent format throughout, the possibility to sort and export data in various different formats becomes available as well, especially useful for cases where an individual would like to exercise their right of data portability.
An additional feature that may help with streamlining the process further is data mapping. It allows the collection of relevant data elements from a database with associated recipients or third parties with whom personal data is shared, and therefore can help the person/department better handle any requests.
To be able make a better distinction between the right to object and the right to restrict processing when it comes to a request, a tool could play an instrumental role in providing recommendations for the category in which a DSR should fall, based on the content of the request. This would minimize the chances of an incorrect request and even non-compliance. As always, automating this process can save further time and financial costs for organisations.
Further to this, being able to track the status of a request in real time, receiving reminders of remaining tasks with the deadline of responding to a request approaching, or the ability to assign a task/approval request to a department/employee, or even a joint controller (if applicable) can ensure that no request remains unaddressed.
To guarantee that all data subjects are granted their rights in regards to automated-decision making, periodic, customized notifications can be set up, reminding the responsible department/authorized to carry out a check that no processing operation involves automated decision-making or profiling.
At the end of the day, being able to receive and handle DSRs from within one, secure tool, automating otherwise huge manual and admin tasks, and having a continuously updated step-by-step framework guiding the DPO/Privacy Officer can help optimise the process company-wide, and enhance operational efficiency.
GDPR Compliance - an opportunity, not an obstacle
In light of the many challenges that an organisation may face in addressing a DSR, it is essential to take a look at how technology and automation may help in making daily tasks more efficient. With the help of technology, processes can be heavily optimised, made shorter and more dynamic, whilst ensuring organisational compliance, and that the data subjects are fully serviced according to their rights. Introducing such orchestration in DSR processes can also help create a better overall management, ensuring timely compliance with the legal requirements and avoiding unnecessary procedural delays.
To achieve compliance with the GDPR is not easy. At the end of the day though, the investment in resources and training are well-worth it: not only do GDPR compliant organisations experience an increase in accountability, but also in customer trust, business transparency, customer engagement, and even reduced sales cycles. If your organisation is in need of a DSR framework to get started, luckily, there are several tools out there today that can make the process smoother and more efficient. Try our 14-day free trial to experience it yourself.