Data controllers have a duty to meet data subject’s rights. Today it figures out how to respond if a data subject requests his or her rights.
Following GDPR, a data subject has these 8 rights.
[The 8 fundamental data subject rights]
- The data subject’s right of access
- The data subject’s right to rectification
- The data subject right to restriction of processing
- The right to be informed
- The right to data portability
- The data subject’s right to object
- The data subject right not not to be subject to a decision based solely on automated processing
I described how to respond to a data subject access request(SAR) on one by one.
[The Procedures how to respond a Subject Access Request(SAR)]
1. Get a SAR from a data subject
When an individual makes a SAR verbally or in writing, the whole procedure starts. If any of employees receive a SAR by any means and in any form, a company takes legal responsibility to respond. Even if a data subject finds an organization via official social media, it is a valid request.
2. Identify a data subject’s request
Identifying the exact request should be prioritized. Depending which right he or she raises and what information it is, you can choose more than a thousand different ways. If it is hard to understand what they request, you shall contact the individual to clarify. Please remember the clock is ticking. You must comply with a SAR within one month. If the request is so complex, you can extend the time to respond by a further two months. But still the clock is ticking.
3. Determine the measures you take
The measures you take depend on what is reasonable in circumstances. It may be reasonable to seek proof of identity from your anonymous client before checking data. Then an organization makes a reasonable decision if personal data should be disclosed or not.
4. It should not disclose an individual’s data if they affect another individual’s privacy.
Because of affecting another's privacy, you determine not to disclose a data, you must let a data subject know with reasonable reason. Careful consideration needs to be given to the specific context and content.
5. Securely disclose the output to a data subject
After considerate internal review procedures, a data controller must notify a data subject. Before notification, it is a best practice to check with the individual first.
6. Keep an audit trail
You should keep an audit trail of the request including all information which was collated, the review undertaken and key decisions made. Also it shall be added if exemptions applied, the response provided and disclosure made, as well as all communication with individuals and 3rd parties.
[Summary: The Procedures how to respond a SAR]
1. Get a SAR from a data subject
2. Identify a data subject’s request
3. Determine the measures you take
4. Securely disclose the output to a data subject
5. Keep an audit trail
---
[Reference]
1. How do we recognise a subject access request (SAR)? (2021). Retrieved January 3, 2021, from Ico.org.uk website: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/right-of-access/how-do-we-recognise-a-subject-access-request-sar/
2. Carter, E. (2019, April 30). How to respond to a subject access request: a step by step guide for organisations. Retrieved January 3, 2021, from Kingsleynapley.co.uk website: https://www.kingsleynapley.co.uk/insights/blogs/data-protection-blog/how-to-respond-to-a-subject-access-request-a-step-by-step-guide-for-organisations