Here’s an embarrassing story of a company that did not take its privacy obligations seriously.
One day, a Danish customer called Nuuday, one of Denmark’s telecommunications companies, to apply for broadband access at his address. He was asked for his social security number as part of Nuuday’s application process. Because the customer felt very uncomfortable providing his social security number, he filed a data subject access request (DSAR) asking why and on what basis the company had collected his social security number. He didn’t receive a final response until six months later.
In early 2022, the Danish Data Protection Agency (DPA) publicly criticized Nuuday for unfairly collecting information about its customers’ social security numbers. The DPA also censured Nuuday for its delayed response to the DSAR in violation of the 30-day deadline set by the EU General Data Protection Regulation (GDPR). As Nuuday admitted, they had neither a purpose nor legal basis for collecting an individual’s social security number. They also confessed that they had failed to respond to the DSAR promptly.
One key takeaway of this story is that organizations must have an effective process for handling DSARs to achieve privacy compliance.
Despite the challenges encountered when complying with DSARs, organizations must show that they respect the privacy of their customers and employees and are committed to protecting their personal data.
There are five steps you need to follow to handle DSARs effectively. Here they are:
1. Understand the types of data that fall under privacy laws.
Complying with a DSAR can be complex and time-consuming, as different data types fall under privacy laws. Some of this data includes personal data, like an individual’s name or contact information. Other data types that may be protected under privacy laws include financial, health, and even biometric data. Collecting and managing this data can be a challenge for organizations, so it’s essential to have a process for handling DSARs. By understanding the types of data that fall under privacy laws, organizations can better prepare for and comply with DSARs.
This also means that companies must be able to explain what types of data they are collecting and for what purpose. Failing to comply with this request can result in a significant fine or even criminal charges. As a result, companies need to understand the types of data they are collecting and processing to comply with DSARs.
2. Know where this data is stored.
Organizations need to have a data inventory in place. A data inventory is a complete and up-to-date list of all the personal data you hold on to individuals, along with information on where it came from and how it’s being used. It results from the process of collecting and organizing data from different sources. Having a data inventory in place makes it much easier to identify and retrieve the information that’s being requested, saving you valuable time and resources.
In addition, a data inventory can help you understand exactly what personal data you hold and ensure that you’re only holding onto information necessary for your business. Ultimately, a data inventory is essential to complying with DSARs. The DSAR process can be long, complicated, and costly without one. Without a data inventory, you may struggle to find the relevant information, leading to delays in fulfilling the request. In some cases, you may even be unable to comply with the request. Therefore, it is essential to have a data inventory in place to help you comply with DSARs.
3. Be able to identify the data subjects.
It is crucial to authenticate the identity of all data subjects entitled to file a DSAR. This may seem straightforward but determining who qualifies as a data subject can often be challenging. The identity of a data subject must be verified to avoid data breaches by disclosing personal information to an unauthorized party. It is essential to ensure that each request is genuine and legitimate; otherwise, you will expose your organization to a privacy violation.
There are several ways to authenticate an individual’s identity. For example, you can ask security questions that the individuals already provided during registration, such as when they created an online profile with your organization. You can also leverage an existing password-protected account or engage third-party verification services specializing in this work.
As a result, it is essential to take the time to carefully identify all data subjects before trying to comply with a DSAR. Failure to do so could lead to delays and other problems.
4. Understand the rights of data subjects under GDPR.
Privacy law can be a tricky subject to navigate, especially when dealing with DSARs. Before responding, ensure the requester has established that they have rights under privacy laws for requesting the information contained in the DSAR. Remember, if you disclose information the requester does not have a privacy right, you could be violating privacy regulations.
Out of an abundance of caution, get professional advice if you are unsure whether or not the information the requester has requested is subject to a privacy right. In doing so, you’ll be able to protect the personal information of your customers and employees from unauthorized access and disclosure.
5. Keep track of everything you do regarding DSARs.
Complying with DSAR requests can be burdensome and time-consuming. Thus, keeping track of everything you do about them is essential. After the DSAR has been responded to and fulfilled, record it. There should be documentation to evidence that the DSAR was responded to and delivered thoroughly and promptly.
It is essential to establish a robust audit trail for accountability and compliance. A privacy technology platform can be leveraged to create an audit trail for this DSAR process. An audit trail includes keeping records of all correspondence and any information you collect about the individual making the request. Keeping track of everything you do can help ensure that your company complies with its obligations under privacy laws and avoids potential penalties.
As you can see, complying with DSARs is no easy task. It requires a lot of planning and effort to create an effective process for handling these requests. But don’t worry, we’re here to help. Our global legal and privacy experts team offers a cost-effective DSAR package that will help you seamlessly comply with your DSAR obligations. So, what are you waiting for? Get started today, and be sure to reach out if you need any help along the way.