Article 15 – The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information (…)
Is the Subject Access Request something new?
As with many of GDPR’s basic rights and principles, the Subject Access Request is not entirely new. As it stands today, we all have the right to contact an organisation and ask them what data they have on us, how they got it, and what they use it for. We can also ask them, if applicable, to update or delete such data.
So, what’s all the commotion about?
There are a few differences in the way GDPR will rule this process:
- Reducing the time frame for response to 30 days, unless you can justify why that’s not long enough
- Providing the information at no cost – there are a few exceptions, but you’ll have to prove they apply
- Providing the information in a commonly used electronic format, where applicable
- A much higher fine, should you fail to comply
At this stage, nobody really knows how often organisations will receive these requests, and we can only assume that it will be very different from company to company. The type of market you’re in (B2B or B2C), your industry, the type of data you process, and how “well behaved” you are in your marketing initiatives will presumably impact the number of requests you receive.
But regardless of how often it will be used, the process must exist for the organisation to be compliant.
Getting ready for the Subject Access Request
If you’re based in the UK or dealing with UK based citizens, the Information Commissioner’s Office is always the best starting point for all things GDPR. Here you can find information on what rights data subjects have, and what you need to do to respect those rights.
When designing the process to support Subject Access Requests, there are a few important things to consider:
- Ensure that those submitting requests are who they say they are. You need to take reasonable measures to avoid sharing personal data with someone who might be impersonating the data subject. This seems obvious, but for many organisations, it will require a new business process, as they’ve never had the need to do this.
- List all your data sources. This should have been done at the beginning of the GDPR project but, if you haven’t done so yet, now is a very good time. When a person asks you what data you hold on them, they want to know all of it, including what’s in that backup tape that has been stored in the warehouse since 1998. By the way, if you have 20-year-old backup tapes, you should ask yourself if you really need them. If there’s no reason to have that data, just delete it. If there is a reason to have it, make sure you document it, along with the security measures around such data format.
- Excel. Yes, the largest, most used database in the world (and for some, the most dangerous software on the planet)! For those who use Excel as a “CRM system” mapping existing data is close to impossible – you may know what data you had in the initial files that were created, but by now there are hundreds of versions of those spreadsheets scattered around shared drives, inboxes, local machines, pen drives, and personal computers at home that are also used by your sales rep’s 8-year-old son. You need to get control of all that Shadow IT, today! A CRM system is not the silver bullet, but it will help. A lot.
- Get rid of duplicate records. The large majority of organisations have duplicate records in their CRM system. A survey conducted by QGate, last year, in a sample of 24 organisations showed that the average duplication rate was over 6%, with one particular company holding close to 40,000 duplicate records in their CRM system. Don’t bury your head in the sand – see how many duplicates you actually have today – just run Paribus Discovery’s free trial, which gives you a Duplication Report.
- Test your Search mechanisms. How many times have you searched for a name and the results came up empty? But why couldn’t you find them, when you are absolutely sure they are in the system? It’s very simple – instead of creating the contact as Robert Dixon, your colleague typed Rob Dicksen; or, instead of First National Bank, someone typed FNB. Paribus Interactive’s Fuzzy Matching engine finds these records for you, and you can also try it for free to see how it works.
The bottom line is, in order to provide a person (data subject) with the information they require, first you need to find it. Mapping your existing data is, of course, the first and main step in this direction, but please don’t forget that if you have duplicate records – and it is very likely that you do – the data you are providing, updating, or deleting may not be all the data you have on that person. If that is the case, you are not complying with GDPR.
If you’re up to some serious reading, here is the actual legislation!
Disclaimer: the content of this blog does not constitute and cannot be seen as legal advice, and should not form the basis upon which any person or organisation takes a decision or reaches a conclusion in regards to their rights or obligations.