The rights of data subjects with respect to their personal data are being expanded under the EU General Data Protection Regulation (GDPR), impacting the business processes of data controllers and processors. At OneTrust, our customers are particularly concerned with how they will facilitate, manage and handle requests from data subjects looking to exercise these rights, as well as the complexities that lie in within each distinct right.
The GDPR provides individuals with a variety of rights over the processing of their personal data. These rights allow individuals to have control over, and place limits on, the collection, use and disclosure of their personal data, and places certain obligations on data controllers with respect to those rights and on data processors to assist controllers with those obligations. While many of these rights exist today under the EU Data Protection Directive, there have been some significant additions. This article will focus on the three rights that we hear our customers asking about the most – the right of access, the right to erasure, and the right to data portability.
Data subject rights – Requirements and considerations
Specific obligations and requirements exist with respect to each of these rights. However, the general obligations of controllers, under Article 12, include:
- Providing information to data subjects in a concise, transparent, intelligible and easily accessible form, using clear and plain language;
- Providing the information in writing, or by other means, including, where appropriate, by electronic means;
- Facilitating the exercise of data subject rights;
- Providing information on action taken on a request to the data subject without undue delay and in any event within one month of receipt of the request; however, that period may be extended by two further months where necessary, taking into account the complexity and number of the requests;
- Informing the data subject of any such extension within one month of receipt of the request, together with the reasons for delay;
- Where a request is made by electronic form means, providing the information by electronic means where possible, unless otherwise requested by the data subject;
- Where a controller does not take action on a request, informing the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy; and
- Providing information free of charge; however, a reasonable fee, taking into account administrative costs, may be charged where requests are manifestly unfounded or excessive, in particular because of their repetitive character.1
There are also specific exceptions that exist where a controller may refuse to act on a request:
- Where the controller is able to demonstrate that it is not in a position to identify the data subject (e.g., where a call center employee is unable to authenticate a caller);2 or
- Where requests are manifestly unfounded or excessive, in particular because of their repetitive character (e.g., spammers).3
Additionally, where a controller has reasonable doubts concerning the identity of the individual making the request, the controller may request additional information necessary to confirm the identity of the data subject.4
As a result, controllers have a lot to keep in mind, and data processors will need to understand these requirements as well so that they can assist the controller with fulfilling their obligations.5 Controllers should also consider updating their standard operating procedures for handling requests, and incorporate processes for evaluating whether they have a right to deny the request. As with other aspects of data subject rights compliance, OneTrust privacy management tools can also assist with quickly weeding out illegitimate requests and thus helping controllers to focus on the requests that are legitimate.
Along those lines, this expansion under data protection law presents an opportunity for controllers to incorporate their data subject request process with other processes like customer support and incident response. For example, many customer support teams (or “help desks”) have already been informally handling data subject requests (knowingly or not), but moving forward these teams will need to be trained on how to follow GDPR requirements, while also ensuring proper documentation and tracking that allows for quality oversight and accountability.
Another example is in the area of breach response procedures, which could be updated to contemplate that a breach could result in an incoming wave of data subject requests, and resources should be allocated to handle that. Similarly, personnel should be ready for data subject requests to come in after a new product release or marketing campaign.
These examples highlight the importance of creating standard operating procedures for personnel to follow when responding to these situations, and setting up a network of privacy champions throughout the organization who can assist with implementation and oversight.