The General Data Protection Regulation (GDPR) redefines the relationship between organizations that process personal data and the individuals whose data is being processed (data subjects). One of the most dramatic ways the GDPR does this is by creating the right for data subjects to make privacy requests regarding their personal data.
These data subject requests (DSRs) can cause considerable stress for organizations for a number of reasons: They involve direct interaction with consumers (who may report them for non-compliance), they must be completed within a time limit, there are numerous exceptions, and they require advance planning. However, with some preparation as part of a wider GDPR-compliance strategy, handling DSRs can become a routine and relatively painless task.
The GDPR creates are six types of data subject requests:
Data controllers determine the purposes and means of processing personal data, while data processors only process personal data on behalf of a controller. Generally speaking, only the controller is responsible for responding to a data subject request, though processors must provide assistance (e.g., by deleting the relevant data or giving the controller a copy).
Controllers must complete a data subject request within one calendar month from the day they receive it. This period may be extended by two further months when necessary, taking into account the complexity and number of the requests. The data subject must be informed of this extension within the first month after receiving the request, along with an explanation for the delay.
A controller should take reasonable and proportionate measures to verify a requester’s identity, especially before providing them access to personal data. If the controller already has other verification measures in place, such as a username and password, this will often suffice; if the personal data at issue is particularly sensitive or high-risk, other verification may be appropriate. However, verification should not be used to discourage data subjects from making requests. For example, if the requester wishes to opt out of direct marketing, the controller should not require proof of identity because there is no risk of harm. The time taken to verify the data subject’s identity does not pause the one-month time limit for responding.
Yes, a controller may contact the data subject about their DSR. For example, if a data subject makes a general access request, the controller may ask them if they are seeking any type of information in particular. However, the controller should bear in mind that the data subject is under no obligation to narrow their request, and the one-month time limit still progresses during the clarification process.
Generally, you may not charge a fee for responding to a data subject request. There are two exceptions to this rule:
If one of these exceptions applies, the controller may charge a reasonable fee related to their own cost of responding to the request.
A data protection officer (DPO) monitors their organization’s privacy compliance, and should be the point person for handling data subject requests. However, not all organizations under the GDPR’s jurisdiction are required to have a DPO. A DPO must be appointed if any of these three factors apply:
Even if you are not required to appoint a DPO, it is still a good practice to designate at least one person to oversee your organization’s privacy efforts.
Data subject requests can be tough to manage on your own, and they are just one part of what's required by the GDPR. The complexities of this compliance make it seem out of reach to many businesses that don’t have in-house privacy experts who can handle it. TrueVault Polaris provides those businesses with the tools they need to handle GDPR compliance on their own.
With an interface similar to online tax software, Polaris guides organizations step-by-step through the process of becoming compliant, and then helps them stay that way. Responding to data subject requests is a big part of staying compliant; Polaris makes it much simpler through automation and efficient workflows. What was once a source of stress becomes a routine task. Learn more about Polaris and schedule a demo today.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.