Chief Privacy Officers (CPO) keep track of many privacy-related functions in a company, including data subject access requests (DSARs). DSARs holds a critical position in privacy compliance, as they allow customers to view the data you’ve collected on them and decide if they want to make corrections, or if they don’t want you to keep any and ask to be removed. The GDPR takes these requests very seriously and has fined many businesses for minor violations. DSAR compliance belongs on your CPO’s radar!
It’s impossible to predict how many data subject access requests will occur in any quarter, or what growth might look like. However, reviewing when they occur and what they have in common can tell your CPO where you can improve. Here are the DSAR questions your CPO should be looking into every quarter.
1. How are We Handling DSARs Right Now?
No single legal standard of how to conduct a DSAR exists. In the majority of cases, a company will handle DSARs in one of four ways:
- Fully manual, where an assigned person or group of people handles every step from start to finish
- Workflow-driven manual, where some steps are handled automatically, and most are still handled by people
- Hybrid workflow and system integration, where a good deal of the data collection and verification is automated
- Fully automated, where the entire process is completed by a computer with no human intervention required aside from the initial request
Take an audit of your data subject access request system and look for areas you can simplify or even automate. The smoother and less prone to mistakes your DSAR fulfillment process is, the less likely you are to deal with fines or dissatisfied clients. And while full automation is ideal, it may not be practical. The least desirable method is fully manual.
2. What is Our Average DSAR Volume and Fulfillment Time?
Has your company noticed a recent increase in DSAR volume? If so, has it increased slowly or exponentially? If you’re dealing with a significant hike in data subject access requests, you may need a more scalable fulfillment solution.
Fulfillment time also deserves some consideration. For example, the GDPR requires companies to fulfill DSARs within one month of the request. Extensions are allowed only when absolutely necessary. Even if your company’s average DSAR fulfillment time is under one month, remember that long or very short fulfillment times can skew the numbers. Each regulation that includes rights requests will specify the time available to complete requests and avoid consequences. If your longest recorded completion time is longer than allowed, work on bringing it into compliance.
3. What Do the DSARs Have in Common?
DSAR trends rarely occur in a vacuum, and knowing what prompted them can lead you to possible solutions.
For example: have all your recent data subject access requests come from the same geographic location? Maybe it’s time to see if the laws there have recently changed, or if a recent event or news story prompted people to look closer at their private data. Are all the requests asking to be forgotten? Maybe you need to reconsider how you handle customer information. Most importantly: do your customers seem unhappy? What’s the overall “tone” of the requests? Based on what you find out, it may be time for a change.
Your Quarterly Data Subject Request Health Check
Your privacy setup needs periodic health checks, and data subject access requests are no exception. Your CPO should dedicate time every quarter to ensure legal compliance in DSAR fulfillment, as well as analyze the data for any revealing trends.