Home Compliance StandardsGDPR What is a GDPR Data Subject Rights Request? 
GDPR

What is a GDPR Data Subject Rights Request? 

by RSI Security
written by RSI Security
ZTA

Finding yourself in the middle of a data subject access request (DSAR) and unprepared can be pretty jarring. Most businesses aren’t even GDPR compliant and will not know how to handle a DSAR.

However, you should keep in mind that the DSAR is not only easy to handle, but it is a way to show your customers that you care about their privacy and securing their data. This article will show what it is and how to handle one.

 

What Is A GDPR Data Subject Access Request?

The GDPR stresses the importance of the rights and freedoms of the natural person. So much so that if your compliance strategy was solely to cater and protect these rights, you would be miles ahead of the competition.

One such right under the GDPR is the “right of access by the data subject.” Essentially, this right allows any data subject the option to request access to the personal data your organization holds on them. 

But it is not only limited to this. Data subjects may also request how the data is processed and if any third-parties are involved in the processing.

A pro-tip here is to include this into your privacy policy, required by law. But it could save you a lot of time if you are as transparent as possible with your data subjects.

Providing general information about how you process the data and how you safeguard it could satisfy the needs of those sitting on the fence about exercising this right. Saving you time and resources and keeping your customers happy.

Who Can Request Data Access?

Any EU data subject can exercise the right to request data access. If your organization processes the data of an EU data subject, then they may request access. If you don’t process any of their data, you will not have to act upon a data subject access request, but as a matter of courtesy, you should at least respond with an email stating so.

However, this excludes data subjects that reside outside of the EU. The GDPR does not cover Non-EU residents. But some larger organizations, like Google, offer data subject access requests to all their users regardless of residency. If you wish to extend this service to all your customers, that is your prerogative, but it is mandatory only if you process the personal data of EU data subjects.

 

Assess your GDPR compliance

 

What To Expect From a Data Subject

If you do end up receiving a data subject access request, there are some things you can expect from the data subject making the request. 

What the data subject will say in the email or phone call is more unpredictable. The European Union is a collection of many countries with different languages. Clarify that you will accept a DSAR in English. Still, if you are a non-European company, you should relay that information to your GDPR representative (Article 27), where they can advise you better.

Generally speaking, the data subject will inform you of their rights and request access to their data. They may also exercise other rights of which you may be unaware. 

Lastly, you should supply contact details, either a phone number or email address, where the data subject can make a formal request. It will make it easy to recognize a DSAR if it is coming from one specific channel. 

 

Rights of the Natural Person

Following a DSAR, the data subject might choose to exercise any of the following rights: 

    • Right to be informed: This right will form part of the privacy policy. The rule regards the right for data subjects to know the categories of data that is collected.
    • Right of rectification: After a DSAR, the data subject may find an error on the data you hold on them. The right to rectification means you must correct the wrong information.
    • Right to erasure (also known as the right to be forgotten): The data subject may ask your organization to delete all data held on them. If they no longer use your services, you must oblige as there is no longer any legitimate interest.
    • Right to restrict processing: Similar to the right of rectification, if inaccurate data is processed, the data subject may request a delay in processing until the information is corrected. The right to restrict processing is most often applied when the data subject does not want to delete data but seeks to have it corrected.
    • Right to object to processing: The data subject may also request that the organization stop all processing entirely. However, this right is dependant on the conditions; you can find the whole article here.

Gaining a better understanding of the individual’s rights means you will respond to a DSAR better.

Responding to data subject requests

Having the facilities in place for a DSAR is essential, but a correct response is crucial. The GDPR gives organizations a month to respond to a DSAR. If your organization has prepared adequately, it should not take you a month to respond to a DSAR, so the time frame is rather generous.

However, it could take a month time period for back-and-forth communication with the data subject. 

 

Step 1: Acknowledge The Request

The first thing you need to do is to acknowledge the contact from the data subject. Acknowledgment of the request will begin the process and reassure the data subject that you are actively dealing with their request. Keep in mind that a DSAR can be sent to anyone in the organization. 

Ensure that you enact a policy requiring that all DSARs redirect to the right person within the organization. Secondly, you must halt any deletion of the personal data regarding the individual making the request. 

Altering or deleting data in an attempt to complicate a DSAR is a criminal offense.

 

Step 2: Verify The Individual

After acknowledging the request, you will want to ensure that you verify the individual’s identity making the request. You are allowed to request identification to compare to what you already process as a means of verification. 

For example, if you process passport information as part of the business operation, you can request that they send you a copy to verify it with your records. An individual can request via a representative, like a solicitor. Do your due diligence and ensure that the individual has authorized this request via a representative.

 

Step 3: Act Quickly and Clarify

When you are satisfied that the individual is genuine, it is time to act on the access request. If the data subject’s request is broad or unclear, please reach out to the individual and ask for clarification. Ask if they are requesting any specific category of data. The individual is in no way obligated to tell you why they are asking for the data, but this process may help establish the parameters of the data.

Lastly, as mentioned previously, this open communication channel reassures the data subject that you are taking their request seriously.   

 

Step 4: Identify Data, Prepare Data Sets and Send 

Once that data is clarified, it is time to identify the data sets requested in the information system and prepare them for “transport.” This transport means finding the secure channels to send the data through so that the recipient may access it safely. 

Note that you may not disclose any data that may infringe on another natural person’s rights and freedoms. For example, disclosing any emails involving the data subject and another person cannot happen while fulfilling the access request. 

 

Step 5: Record and Review Decisions Made

The final step is to record all actions taken and review the process. This step is essential because it will help your organization make improvements if another DSAR is requested. This internal audit will also help in any supervisory authority review, allowing you to avoid fines.

 

How We Can Help

Handling a data subject access request is a small part of becoming fully GDPR compliant. Regulators are becoming more aware of data misuse, and the pressure for the supervisory authority to seek out non-compliant businesses is high.

Don’t let regulatory requirements slow your business down. Get in contact with RSI Security today, and let us help you with your compliance strategy. Schedule a consultation here

 

Speak with a GDPR expert today!

 

0 comment
0
FacebookTwitterGoogle +LinkedinEmail

RSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI Security can assist all sizes of organizations in managing IT governance, risk management and compliance efforts (GRC). RSI Security is an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA).

You may also like

The GDPR Special Categories of Personal Data

March 17, 2021

Why BYOD is Bad For GDPR Compliance

June 13, 2019

What is the Standard Contractual Clause (SCC)?

October 26, 2022

What Is Considered PII Under GDPR?

March 4, 2020

The Future of Data Privacy in the US

March 3, 2020

What GDPR Means for These Five Industries

April 6, 2020

How to simplify GDPR with this need-to-know checklist

June 8, 2018

What is EU-US Privacy Shield and Why Does...

May 6, 2020

How Does GDPR Affect B2B Sales?

October 6, 2022

How to Make Your Website GDPR Compliant: A...

August 16, 2019

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This website uses cookies to improve your experience. If you have any questions about our policy, we invite you to read more. Accept Read More