A recent report published by Technology Law Alliance reveals that just 18 per cent of companies will be ready for the introduction of the General Data Protection Regulation on May 25, 2018.
This news isn’t surprising because it is one of the most far-reaching regulations to hit organizations in more than a decade. At first glance, the sheer amount of changes your organization needs to make to ensure the data rights of UK/EU citizens are met under the regulation can be quite daunting.
One of the most high profile aspects of the GDPR is Subject Access Requests (SAR). Get this wrong, and your organization’s reputation could be severely damaged, not to mention be fined by the ICO for non-compliance. Get SARs right, and your organization will not only meet compliance obligations, but also improve efficiency across the organization and gain a better understanding of your business data.
So, why are organizations struggling to set-up an automated subject access protocol for people seeking to understand what personal information is being held about them? Companies have just 30 days to fulfil these requests.
There are three main reasons why most organizations are not yet ready to handle Subject Access Requests. Because they have not yet:
- Accurately identified and mapped data sources and flows
- Developed a taxonomy of all data and information assets
- Created auditable workflows that can deal with all the various SAR events
According to GDPR, you, the Data Controller, have 30 calendar days to respond to a SAR. The requested information must be provided without delay and, at the latest, within one month of receipt. This can be extended by a further two months where the request is complex or where there are numerous requests. If this is the case, the person requesting the information, the Data Subject, must be contacted within one month of the receipt of the request to explain why the extension is necessary.
When the Data Subject makes a SAR by electronic means, the information must meet portability standards and should be provided in a commonly used electronic format unless otherwise requested by the Data Subject. Before providing the information, you must verify the identity of the person making the request using “reasonable means.”
Subject Access Requests are one of the easiest things to set-up if you have all of your data mapped and classified in a searchable database. Unfortunately, this is rarely the case in large-scale enterprises, but the demands of GDPR provide a unifying catalyst for business units to work together to solve this challenge. Let’s look at what you can do to succeed:
Map your data
One of the biggest challenges to handling subject access requests is finding the full extent of the personal information you hold on people. This is an issue for business and technology professionals responsible for GDPR compliance struggling with disparate data sources and can be solved with closer working relationships between business units and IT functions. Identifying the extent of your data sprawl can be a sizeable task as large British businesses manage personal data across an average of 24 different systems.
If your organization has grown through acquisition, you will likely discover additional systems that were implemented years ago (by employees that have since left the business) that hold additional information on customers, employees and suppliers that need to be brought into the fray.
As part of your Data Protection Impact Assessment (which is an essential foundation to GDPR compliance) you should identify the sources and flows of data in your organization. The data flows include the transfer of personal information, within and outside of the organizational boundaries as well as across geographic boundaries inside and outside of the European Union.
When you undertake the mapping of your data, you should also look at the type of personal information and the critical data elements including:
- Data items – Name, email, address, health data, criminal data, biometrics data, locational data
- Formats – Hardcopy (paper records), digital, database repositories
- Transfer methods – Post, telephone, social media, internal (within), external (data sharing)
- Location – On premise, company offices, cloud and third-parties
These are just a few aspects that you should consider when assessing your data. It’s an undeniably time-consuming exercise that will require regularly engaging your colleagues using a number of tools and methods including questionnaires, workshops and interviews.
Develop data taxonomy
Once you have mapped your data, it is now time to develop a taxonomy. This step is important because a taxonomy will enable you to effectively search, locate and retrieve data and information from across your organization.
We are not proposing that organizations transfer or copy all relevant data from all sources into a new data warehouse, duplicating the data and adding to the compliance issues. Instead, we are recommending that data for customers, employees and suppliers are identified and their location stored in a purpose-built database.
This approach will ensure that any SAR can be responded to accurately and in a timely manner across the organization. This will also support the Data Protection Impact Assessment initiative.
Processing data requests
Once your data has been mapped centrally, you will be in a position to implement the important and high profile workflows that link Data Subjects with the information they seek within your organization. Developing a standardized GDPR request management process is vital, such as the one shown below:
In practice, a Subject Access Request from a Data Subject (here, Jane Doe, a former colleague, for example) may generate the following sequence of automated workflows:
1. Jane Doe lodges her Subject Access Request with your organization by sending an email via corporate website.
2. Your colleagues responsible for managing GDPR Subject Access Requests triage the request from Jane Doe.
3. A workflow process is automatically created to control the lifecycle of the request to ensure all necessary steps are accomplished within the defined timelines. An automatic SLA is triggered.
4. Emails informing the triggering of the Subject Access Request from Jane Doe are sent to appropriate colleagues to validate her identity and her request for personal information.
5. Jane Doe receives an email informing her that her request has been received by your organization, and that it is being processed.
5. Colleagues across your organization are informed of the SAR and told what tasks must be completed and by when.
6. Correspondence to manage communications with Jane Doe will be triggered, fulfilling the request from her, such as:
- Notifying Jane that her request has been received
- That her request is valid and action to complete the request is underway
- What actions have been and will be undertaken based on her specific type of request.
7. Requests are closed with a resolution code. These resolution codes are used to allow compliance reporting to be produced on volumes of requests and actions taken.
The Subject Access Request is the most high profile aspect of the GDPR, outside of data breaches, since the regulation is effectively designed to increase the power that individuals hold over their data. SARs will be particularly high-profile as the Data Subjects will be current and former customers, employees and suppliers. As a result, it’s important to get this right. It is not difficult. It just requires strategic planning and effective collaboration.