The long-awaited General Data Protection Regulation (GDPR) effective date has finally come and gone. Though the implementation deadline for this new regulation has passed, there is no shortage of questions and uncertainty surrounding its specific details. One of the bigger challenges of the GDPR revolves around the rights it grants to data subjects, who now have the right to access their personal data, request the erasure of their data, and object to the processing of their data (among other rights).
These new data subject rights raise some questions for the organizations who handle EU residents’ personal data (i.e., controllers and processors). This blog post addresses some common questions we’ve heard from organizations who are now managing and responding to data subject requests.
How quickly do we need to reply to data subject requests?
The GDPR suggests that an organization reply to a data subject’s request within one month of the request submission. For requests made on the weekend or on a holiday, organizations have until the next work day to start the timer on their response.
Organizations are expected to respond within this 30-day period by: 1) completing the request (providing access to the data, erasing the data, or stopping data processing), 2) asking for further documentation proving a data subject’s identity, or 3) replying with an answer as to why the request cannot be completed (a legitimate reason must be provided).
It is recommended that upon receiving a request for access, the organization should reply to the data subject letting them know that their request was received and that they will receive an “official” response within the 30-day timeline. For more complex requests, we have seen some organizations extend the response timeline to two months.
Who is responsible for responding to data subjects' requests?
Responsibility for complying with a data subject’s access request lies with the data controller. Data controllers need to ensure that they have contractual arrangements in place with their processors to guarantee that data subject access requests are dealt with properly, regardless of whether they are sent to the controller or the processor.
Howe should we respond to access requests?
Data subjects have the right to make a request by any means they choose – written letter, email, verbal communication, etc. However, regardless of how the request is made, the regulation recommends that organizations provide their responses to requests and the requested data in an electronic format. Organizations should keep electronic records of their responses to data subject requests.
What if we don't have the data being requested?
Organizations that do not store the requested information should still provide any data that they have for that individual to the data subject, even if it’s different from the information they requested.
What should we do if the information is encoded?
For such cases where the requested data is encoded, you must provide a guide to the data subject that will allow the data subject to interpret their data. In this scenario, you would be required to provide a key to explain the meaning of the information. However, although it is a good practice to do so, you are not required to decipher the information, as the GDPR does not require organizations to make the information legible – you are only required to provide the key to interpret it. Even still, it’s a good practice to ensure that individuals fully understand the information you give them. Organizations do not have to translate the data from the language it’s processed and stored in; however, they cannot amend or delete the data after a request has been made.
What should we do if the request involves another data subjects' information?
Organizations are not required to respond to any request that may involve the data of an individual other than the data subject who is making the request, unless the other individual has consented to the disclosure.
When does a data subject have the right to object?
A data subject has the absolute right to object when their data is being processed for direct marketing purposes. In addition, individuals can object when their data is being processed for a task carried out in the public interest, the exercise of the organization’s official authority, or the organization’s (or its third parties’) legitimate interests. In these scenarios, individuals have a right to object to data processing, but they must give specific, legitimate reasons for their objection.
Organizations can continue processing if the the task is carried out for the legitimate reason of public interest, or for either of the following reasons:
- The organization can demonstrate compelling, legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
- The processing is for the establishment, exercise, or defense of legal claims.
If the data subject’s grounds for objection are deemed legitimate, the organization/controller/processor must stop processing the data immediately; however, this does not require the data to be erased. Erasure may not be appropriate if you process the data for other purposes and need to retain that data for said purposes.
For example, if an individual objects to direct marketing, an organization can place that individual on a suppression list to comply with their objection, rather than erase them from the system. In this case, organizations need to be careful to ensure that this data is clearly marked for suppression, so that it’s not processed for the purposes the individual has objected to.
Fulfilling, managing, and tracking data subject requests may seem like a chore, but it can be used an opportunity to build more trust and better relationships with your customers. Exercising individual rights and submitting requests should be simple and intuitive for data subjects, and they should be able to expect quick, clear responses. Controllers and processors should take the necessary steps to ensure that this data is recorded accurately, stored securely, and managed efficiently, so it can be easily accessed in order to respond to requests within the 30-day time limit.
Focal Point offers GDPR operationalization services that can help companies streamline data subject request processes, track and manage requests, and meet data subject needs. Learn more or schedule a meeting with one of our GDPR experts today.
Disclaimer: Focal Point Data Risk, LLC is not a law firm and does not provide legal advice. This content is intended for informational purposes only.
Want more insights into the GDPR?
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.