Data Subject Rights

The Problem

The truth is that most Data Subject Rights are not new. The real difference is the awareness that individuals have about their rights which is seeing an increase in the number of requests most organisations are receiving. Add to this new rights under the GDPR, the removal of the ability to charge a fee and the highest level of monetary penalty being available to the ICO for the worst infractions of the requirements, the reality is that most organisations now need to have a plan and process for what they do when a request is received. 

Plan

This really is an area where 'failing to plan is planning to fail'. Your plan should include everything from understanding the data you have, who it relates to and what complications there may be in honouring a Data Subject request. Your staff need to understand what rights individuals have and their role in meeting them. Above all, you need to understand which types of request your organisation is most likely to receive and who you may need assistance from e.g. there may be certain pinch points in your relationship with individuals (such as a declined application for a sensitive service) which are likely to prompt a request for the data you hold and knowing who - internally and externally - may need to provide information in advance is vital.

Process

Do your staff know who to pass a Data Subject Request to and how? Will you manage requests within a dedicated tool that provides the necessary management information about volumes and response timelines? Do you have a process by which you will verify the identity of people submitting requests? What about standard correspondence and ways to exchange information with the data subject? Does your process contain an agreement about the timescales in which various departments need to provide the information they have been asked to? Is there a process to quality check the response given to individuals? Trying to do all these things on the fly can be time consuming and costly - get your processes in place before you need to use them.

Proficiency

On the face of it, honouring a Data Subject request should be fairly straightforward. The reality however is often different. Your team dealing with requests need to have sufficient knowledge of your obligations and the time to assess and respond to each request in the timescales allowed. For example, they need to be able to balance the right of someone to see the information you hold about them with the rights of others whose information may be linked to them. Redaction of records provided to an individual needs to be carefully done, including ensuring the redaction cannot be undone and includes stripping a file of meta data etc where necessary. The team dealing with your Data Subject requests needs to be knowledgeable, able to act in the interests of the individual while having the time and skill to be able to deal with communicate why your organisation may not be able to provide the result the customer asks for e.g. being able to explain why a deletion request can only be fulfilled in part and how your company plans to protect the data which cannot be deleted. Remember that a complaint to the ICO is a potential outcome and your response team needs to be sufficiently proficient to spot and mitigate any issues in advance.

Our Solution

Our Data Subject Rights managed privacy service is tailored to your organisation's needs but at its core provides you with skilled resource capable of managing requests from start to finish.

Your Fidabona led privacy team will review requests and ensure they are managed in line with your obligations under data protection laws. We also help you address the nuances and manage compliance in areas such as:
- Verifying the identity of individuals making requests
- Clarifying the scope of a request
- Managing communication with Data Subjects
- Dealing with third party requests
- Redaction of records
- Charging a fee for "manifestly unfounded or excessive" requests
- Refusing or limiting a request
- Requests involving children
Our Data Subject Rights managed service adds the skills you need to an internal team to meet requests in a timely and compliant manner, reducing your staff's time away from their usual duties while ensuring your relationship with individuals and the ICO are protected.

Tell us how we can help

How it works

Our service is flexible, allowing you to choose just how involved we are in your Data Subject Rights process. You can engage us to handle the whole process from start to finish or opt to involve us only in the most complicated requests. We can provide an entirely outsourced service or help you build and staff an internal team on your premises.
  • 24/7/365 telephone line answered in your company name.
  • a range of technology tools to help manage your process.
  • time spent and fixed cost options.
  • liaison with the ICO on difficult cases or complaints.

Test us out for free

Have a query about Data Subject Rights you would like answered? Book a free 30 minute online meeting with one of our qualified staff or submit a ticketed query about a request you are currently dealing with.