By submitting a Data Subject Access Right (DSAR) request a consumer can ask for the information been taken by the organization, and they are obliged to respond with a copy of the relevant subject.
Verify the Subject’s Identity
If you receive a request for data, verify the identity of the requester with a verification email and/or captcha. Send the information to the appropriate person or department if they are verified as an owner of that data and ensure you have confirmed with them that it is ok to forward the data to another person or step in a process.
If you do not know whether you have possession of this information, send a response back to the individual stating why you are unable to assist them based on what they have been able to provide.
Determine the objective of Request
Audit the DSAR requests to determine what the requester wants to know. Majorly, subjects simply want to see all the data you have on them, but they may invoke other data privacy rights at the same time. For instance, a subject may request rectification - meaning the correction of inaccurate data.
Review the Data
Before you send the personal data over to the recipient, review it thoroughly. Make sure it doesn’t contain any other person's information or even your own for that matter. For business purposes, adding explanations to your personal data can come in handy at times as well.
Data-Format
Well, there are a couple of responses that one can take. For starters, you’ll need to gather all the facts and details of the subject into an organized response. This could be in the form of a spreadsheet or a table with rows and columns – but whatever it is, it must be easy to read and accessible via direct download.
Privacy Legislations around the world provide diverse types of data formats that are easy to understand, so be sure to pick one that fits your unique situation best. Most of the Privacy Acts being passed also encourage you to give data subjects remote access to your security system, so they can access their files more quickly if they would like updates or changes made!
Explain the Subject’s Rights
At the bottom of your response, include a message pertaining to data privacy rights. It is important to remember that you are not obligated to answer every question a person asks when they seek information or details about you.
Also remind them that they have the “right to object” to the processing of their personal data, as well as request rectification or erasure of their stored data and/or lodge complaints with supervising authorities if they feel your use of their data has been inaccurate.
Data to the Subject
As you close your final phases of the job, take time to confirm your responsibilities with all parties involved. Document everything you have accomplished for future reference – to assure your work accountability & transparency. This way you will be prepared, should you be audited in the future, to show your work.
Conclusion
The Right to be Forgotten (RTBF) allows consumers to request that the organization remove their personal information from their databases. To comply with the GDPR, organizations must be able to sort through their databases and identify personal data, as well as the consumer’s contact information.
Organizations must also be able to verify whether they have received a request to delete a record and respond appropriately to that request.
Streamlining all the data and creating data inventory manually could take years! Years aren’t an option, which leads organizations to automate the process. Adzapier helps organizations with our proprietary DSAR Management app built within our Consent Management Platform (#CMP). Our DSAR Management makes it easy to find forms, create workflows, and most importantly manage all incoming and outgoing messages pertaining to Data Subject Access Requests. Our customizable platform offers secure cross-channel integration to help businesses like yours be legally prepared for data protection laws.
*Any information obtained from the Adzapier website, services, platform, tools, or comments, whether oral or written, does not constitute legal or regulatory advice. If legal assistance is required, users should seek legal advice from an attorney, a lawyer, or a law firm.*