Questions to ask for subject access request responses
- Posted on March 1, 2018
- Estimated reading time 4 minutes
As I wrote in my earlier blog post on the consent of personal data online, I'd like to continue the discussion and now focus on data subjects' rights under the EU’s General Data Protection Regulation (GDPR). Consumers like you and me have various rights under GDPR. This includes the ability to demand access to our personal data and to have inaccurate personal data rectified or erased entirely – sometimes dubbed as the ‘right to be forgotten.’ We will be able to object or restrict the processing of our personal data, and even under certain circumstances, demand having our personal data ported from one organization to another. These actions from any data subject for exercising these rights under GDPR is also known as subject access request (SAR).
GDPR is not the only regulation or law defining how to manage data, and its primary purpose is to protect personal data, not generally confidential data or trade secrets like business calculations, business finances, or AutoCAD drawings from new offices. The problem comes when different types of data are stored in the same place and mixed without governance, change enablement, leadership input or tracking. These four areas are the main reason for this unsustainable situation making it almost impossible for organizations to make the right decision to delete old or unknown (dark) data.
Probing into these scenarios is a multidimensional and complex combination of people, process and technology. We need to take a more holistic and concrete view to address it with strategic questions and create required controls to be able to response.
Here is a sampling of questions that organizations should ask:
1. How do we define the various types of data available to our customers and how?
2. How do we serve our customers and what is their user experience with our brand when they send subject access requests to us?
3. How do we identify and validate the data subject when they are requesting their data?
4. How do we deliver the data in a secure, electronic format and ensure that data is given to the right data subject?
5. How do we internally prepare our organization for SAR requests?
6. How do we collect data subject information? (Do we have public/internal forms, phone numbers, email addresses?)
7. Who are the responsible data owners and do they have mandates across organization silos?
8. What is the process for collecting data and making the decision if, why and how we should respond to the SARs?
9. Who will do the work? Is it a business/security/IT/HR responsibility?
10. Where is the data stored and how do we track and monitor the progress to keep the timeline?
11. What happens to the collected data, how long must we store it?
12. How do we track and monitor who has access and can use the collected data?
13. What tools do we use to find the data in both structured and unstructured data?
14. What are the risks if we are not able to share and deliver on time?
15. What data do we actually possess and where is it stored?
Those are just a few of the open questions that organizations must ask without forgetting the main objective: what data are we collecting and which applications contain them. Usually finding the data from structured applications and services is quite easy. Those that have clear structure, purpose and usage like CRM, HR, ERP and online stores are trickier since they contain bidirectional integration to multiple systems outside our organization.
Over the last two years, I've worked with multiple customers in a branch office focused on optimization and cloud transformation. Unfortunately, my key observations have been quite aligned with 3rd party analysis from companies like Veritas add Micro Focus.
Unstructured data will be the pain point and have lots of decision-making obstacles due to the lack of understanding of the data that organizations have stored over the years without knowing why or having a legal purpose. Due to the accepted and learned behaviors of employees, data saved to old legacy systems is due to poor change enablement and normal resistance for change.
The good news is that GDPR should be seen as an accelerator for companies to delete old data with some acceptable business risks and that it will drive a stronger focus on SAR.