Privacy regulations and laws regarding customer data have been introduced to ensure companies are staying compliant, and one of those laws is GDPR. The General Data Protection Regulation (GDPR) is a legal framework that protects the digital privacy rights of E.U. citizens. Essentially, the GDPR created data transparency, allowing individuals to file a data subject request (DSR) to see what personal information of theirs your company uses, processes, or stores.
Once a DSR is filed, the GDPR requires organizations, or data controllers, to grant quick access to personal information to the data subject. Depending on the DSR request type, it might also necessitate further action, such as deleting, correcting, or transferring consumers’ data.
This guide will detail DSR request stipulations and DSR fulfillment best practices to ensure that your company is compliant with data privacy laws and regulations across the board.
What Is a DSR Request?
Before discussing the DSR fulfillment process, it might help to answer: what is a DSR request? The GDPR stipulates that data subjects have the right to access their data and personal information from data collectors.
This enables an individual to make a Data Subjects Access Rights (DSAR) request, which grants access to any personal data an organization controls. Using a DSAR, a data subject may also ask to see how the data is processed or whether any third parties are involved.
Once data access has been given, the data subject can send a follow-up DSR to the data controller. Depending on the circumstances, this request may compel the controller to take any of the following actions, as it pertains to the personal data:
- Receive copies
- Delete data
- Request changes or corrections
- Limit processing
- Receive it electronically so that it can be transferred to a different controller
- Lodge a complaint with a supervisory authority
DSR compliance mandates give organizations a 30-day window to appropriately respond to a formal DSR request. In some instances, they may also be allowed to file a deferral, which extends the deadline to 89 days. However, if an organization is adequately prepared, the initial deadline should provide ample time for a response.
Failure to fulfill the request within the allotted time frame can result in significant fines, regulatory penalties, and reputational harm.
How Do You Handle DSR Fulfillment?
DSR fulfillment is how organizations respond to a DSR request. With troves of personal data fractured across a network, companies rely on systemized fulfillment models to ensure that the DSR request is seen and responded to effectively.
The specifics of the DSR process are contingent on the organization and the data it collects. So, while every DSR fulfillment model will vary slightly, most will include the following steps of DSR requirements.
Step 1: Collect DSR Requests
Your first DSR fulfillment task is to formalize the DSR collection process.
Individuals need to know their data rights and have an easy way to lodge a DSR. Setting up customer-facing webforms enables this. To make the process as intuitive as possible, these forms must be branded, compatible with all devices, easily accessible, and user-friendly.
Here, automating DSR compliance can optimize the collection process in several ways:
- Reducing manual tasks, errors, and costs
- Improving user trust by ensuring that user data is secure and that requests are promptly responded to
- Increasing the speed, accuracy, and reliability of DSR response
Step 2: Respond to the Request
After a DSR fulfillment request has been received, an organization should acknowledge the contact. Recognizing the request gives the data subject peace of mind knowing that the DSR has arrived and the appropriate actions will be taken.
Be careful: Once a DSR request has been filed, do not delete or alter any personal data related to the DSR request, even if such actions were previously scheduled. Altering, tampering, or deleting data—particularly if done so on purpose, post facto—could result in significant criminal penalties.
Step 3: Verify the Individual
When the GDPR was first enacted, malicious individuals—including hackers and identity thieves—quickly saw a golden opportunity. It opened a vulnerability gap they could exploit to fraudulently access sensitive information, such as financial data or social security numbers.
With those cybersecurity risks in mind, companies must be wary of who is behind a DSR request. Don’t accept a request at face value. Instead, require the individual to provide proof of their identity.
While caution is important, so is restraint. The Data Protection Commission’s (DPC) guidelines advise organizations to tread carefully when responding to a data access request, stating that:
- Proof of identity should only be requested where reasonable and proportionate to do so
- Controllers should only request the minimum amount of further information necessary
While verifying consumers’ identities is crucial, the last thing you should do is ask customers to submit additional personal data or resubmit passports and IDs for identity verification. That would defeat the purpose of the original DSR, especially if the personal information contained within the verification documents is even more sensitive.
How then can you stop fraudulent DSR requests while still upholding data subject privacy?
The least intrusive verification method should leverage pre-existing record data and request two-factor authentication. For instance, to finalize a request, an organization may ask the data subject to:
- Provide their phone number
- Receive a text or call to the number, containing a verification code
- Enter the verification code
- Select a security question
- Answer it accurately
Step 4: Discovery
After a DSR request is received, the controller must locate the personal data that are subject to the request.
But locating an individual’s personal information is easier said than done.
Data is often fractured or duplicated across a company’s operations, systems, and networks. So, whether it’s stored in a CRM, PDF file, or application, organizations must be accountable for every single bit of personal data that’s used, processed, or stored.
If your system relies on manual processes, the discovery process may understandably seem like a Sisyphean task. But with the help of automation and AI, it becomes much easier to collect the relevant data, even when it’s scattered across multiple systems.
Step 5: Review Data and Obtain Approval
Once identified, the controller can review whether the data meet the internal requirements for upholding or rejecting the DSR request. For instance, you can’t reveal data if the disclosure infringes upon another person’s privacy rights.
After a user or bot approves the request, you must prepare the data sets for transport along a secure channel. Depending on the DSR request type, you may need to take additional steps, including:
- Rectify – If the data subject points out an error within the data you control, they have the right to ask that you correct the information so that it’s accurate.
- Restrict – Data subjects have the right to request a temporary stay on data processing until inaccurate information is corrected.
- Erase – The data subject may request that you delete all of the related data you control. If they’re an existing customer, you have more leeway to reject such a request. But if that’s no longer the case, you must delete the data seeing as it’s no longer considered of legitimate business interest.
- Export – Under the GDPR, data subjects have the “right of data portability.” This means that they can request an electronic copy of the data or ask that it be transmitted to another data controller.
- Object – In some cases, a data subject may also request that an organization stops processing their personal data completely. Organizations may refuse if they can demonstrate a legitimate reason to continue processing the data. However, they cannot refuse to comply with an objection for direct marketing purposes, which the European Commission defines as “any action by a company to communicate advertising or marketing material, aimed at particular individuals.”
Why Does DSR Fulfillment Matter?
Installing a working DSR fulfillment model is critical to an organization’s long-term health and success. And while there are several reasons why it should be a priority for your company, three stand out:
- GDPR compliance – Want to avoid costly fines and penalties? In order to comply with the GDPR, you must fulfill data subject requests, and do so in a timely manner.
- Happier customers – DSRs and DSARs empower users to take agency over how companies use their personal data. Providing transparency and a quick response demonstrates that you respect their digital privacy rights.
- Heightened security – If a company receives a sharp increase in DSRs this can create system-wide log jams. As requests build up, they can quickly overwhelm internal staff and put your organization at risk for a Denial of Service (DoS) attack, especially if you rely on a manual-based fulfillment system.
DSR Best Practices with Data Grail
The DSR and DSAR process is an important part of every organization. So, how can you set up your DSR fulfillment process for success? Automate it.
Whether you’re governed by the GDPR or another data privacy law like the California Consumer Privacy Act (CCPA), achieving DSR compliance requires that you know what personal information you have, where it’s located, and how it’s being used.
With an automated data privacy platform, such as the one DataGrail provides, you can optimize DSR fulfillment, empowering your organization to:
- Identify high-risk systems in order to reduce your DSR surface area
- Better prepare for a potential DSR DoS attack
- Save time and resources by eliminating spreadsheet and manual processes that expose you to greater levels of risk, error, and regulatory penalties
- Accelerate the fulfillment process
DataGrail’s Request Manager makes requests effortless. And there’s no-code onboarding—we do all the heavy lifting for you. This means that fulfillment takes less time and causes less stress.
Request a demo to learn more and see how we simplify data privacy compliance.
GDPR. What Is GDPR, the EU’s New Data Protection Law? https://gdpr.eu/what-is-gdpr/
Data Protection Commission. Data Subject Access Request. https://www.dataprotection.ie/sites/default/files/uploads/2019-10/FAQ%20Guide%20to%20Data%20Subject%20Access%20Requests_Oct19.pdf
European Commission. What happens if someone objects to my company processing their personal data? https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/dealing-citizens/what-happens-if-someone-objects-my-company-processing-their-personal-data_en