More on data subject access requests
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via email@example.com; twitter: @moshoke
September 20, 2021704 views0 comments
After the implementation of the General Data Protection Regulation(GDPR) in Europe, individuals realised the power given back to them. They can ask companies to remove their data, correct information about their data, or stop processing their data. This particular process made companies pour various resources into handling data subject access requests(DSARs).
What’s more, the regulation led to a spike in DSARs. In 2018 alone, there was a fifty-six percent data subject access request in the United Kingdom alone.
What most companies fail to understand is that there are certain requests that can be outrightly rejected. For example, an individual used his account for fraudulent activities, the bank found out and shut his account down. Some weeks later, he requested for his details to be deleted. The simple answer in this case is NO. In GDPR speak, this request is ‘manifestly unfounded’.
According to the regulation, a request may be manifestly unfounded if an individual makes a request in order to get some form of benefit from the organisation, when an individual has the intent to harass the organisation in order to disrupt their day-to-day activities. Another example is where an individual makes a request and informs the company that if they credit her account with a specified sum of money, she will withdraw the request. One can conclude that the request is manifestly unfounded.
A company can also reject a request because it is manifestly excessive. What does this mean? This means when the request is unreasonable. There are certain yardsticks that can be used to measure this request. The company must pay attention to the circumstances of the request which includes but not limited to the nature of the requested information, available resources, repeated requests, and whether that information causes damage to other individuals.
Companies must not rush to reject a request using the words excessive or unfounded. A good organisation will consider the request and where they find it unfounded or excessive, they must be able to demonstrate it.
A good data subject access procedure can make or mar any company’s data privacy compliance framework. There are five main processes that companies must take to create a smooth process. They are: the intake process, the validation process, the data collection process, the review process and the delivery process. When these processes are merged together, it makes the Subject access request easy.
The intake process covers how the company receives the request. This could be by email, text, through social media, telephone call. A good company would consider making it easy for data subjects to make these requests. For example, an individual tweets at a company about an error in his detail and the company provides actionable steps via the same social media platform.
The validation process proposes that companies must ensure that they check if the data subject presents certain documentation as a method of identification. If the person is an employee within an organisation then an email from the company’s account can suffice.
The next step would be to collect data that has been requested. It can be emails, conversations and even CCTV footage. These dataset must be arranged.
A review stage would entail ensuring that the data is checked so that information that is not supposed to reach the data subject has been redacted and most importantly, there must be a check if it meets the data subject’s requirement.
The delivery process is considering how the data will be delivered to the individual. Delivery must be done in a safe and secure manner. If the company is going to deliver by email, then the document must be passworded and if it’s going by post then using reliable delivery company is a must.
There is more to handling data subject access requests. The technicalities could be cumbersome for bigger organisations but a well defined process can ease the administrative burden. DSARs are a cornerstone of any data privacy compliance framework and companies must create processes that meet their business functions.