October 27, 2021

 Jeff Rohlmeier

data privacy GDPR privacy

Over the past several years, prominent privacy and data protection laws, such as Europe’s General Data Protection Regulation (GDPR), Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD), and California’s Consumer Privacy Act (CCPA), have brought greater attention to the topic of Data Subject Access Rights (DSARs). Under those laws and several others globally, individuals (consumers, households, and even employees) have the right to “Access” their personal data. Though actual requirements may vary by jurisdiction, “Access” typically includes the rights to:

• Review (or “Know”) what personal data an organisation has about you.
• Correct (or “Rectify”; or amend) your personal data.
• Delete (or block; or anonymise) personal data that the organisation has about you.
• Data Portability, i.e., the right to have a machine-readable copy of your personal data.

Historically, many organisations have handled DSAR requests in a very manual and often ad hoc way. They may have received such requests through a privacy program email inbox or a customer service line; and tracked such requests and fulfilment processes via a spreadsheet. However, laws mentioned above (and emerging industry standards and best practices) have raised the stakes considerably. Increasingly, organisations are now required to do some or all of the following:

• Describe in their privacy statements how individuals may exercise their rights to present DSAR requests.
• Follow procedures to verify that an individual makes a valid DSAR request for personal data belonging to that person.
• Respond to DSAR requests promptly (usually within a window specified by applicable law).
• Allow an authorised agent to submit a DSAR request on behalf of an individual.
• Deny DSAR requests only under certain limited allowable circumstances.
• Keep accurate records of DSAR requests received as well as the fulfilment process.

Due to these requirements, data controllers and processors alike have been realising that the old “inbox and spreadsheet” method of handling DSAR requests no longer scales very well to the new reality of these requirements and the penalties that organisations could face for mishandling DSAR requests. To better contend with DSAR requests and other types of privacy-related inquiries or complaints, organisations must take a holistic view of the process. Comprehensive data inventories, accurate data mapping, practical and enforceable internal data protection and retention policies, and the assignment of roles and responsibilities to receive and fulfil individuals’ requests are all very important components of sound DSARs strategy.    

Further, since time is of the essence in the competent receipt, verification, and fulfilment of DSAR requests, organisations across industries have been outsourcing to more efficient and effective third-party specialist service providers (such as Elevate) that can deal with DSARs and other data subject rights more effectively. Often these services will work in conjunction with privacy platforms that provide DSAR compliance modules. Outsourcing has been especially true of organisations handling increasing volumes of DSAR requests, often from customers, consumers, employees, and other individuals who are becoming more aware of their rights under the law.  

In short, organisations are increasingly utilising external strategic guidance and process improvement support and leveraging outsourced human and technical support to help them receive and fulfil DSAR requests more effectively and efficiently. To learn more about how Elevate may be able to help in this respect, please do not hesitate to contact us.