Managing Subject Access Requests (SARs) Under GDPR
A few weeks ago, the European Union changed much of the digital world. On May 25, the much-anticipated General Data Protection Regulation (GDPR) came into force. While businesses with a digital presence in Europe scrambled to meet that deadline, there are still a lot of questions about what it means and how it will affect business-customer relationships.
One fundamental question is how do businesses verify the identity of a Subject Access Request (SAR) received from an individual? While many organizations have been focused on putting a framework in place to manage personal data of EU citizens to ensure they comply with GDPR, they haven’t given much thought to how they will manage SARs.
A person submitting a request to access their data must be able to do so either electronically or physically. Generally, that means having a way to contact a business through a web form, email or by telephone. If such a request is made, the organization must respond within one month. Extensions of up to three months may be granted if the request is highly complex or requires an immense amount of data to be processed. Furthermore, the information must be provided for free, though an administrative fee may be charged if the request is deemed excessive or unreasonable.
When a data subject makes a request for their information, they can ask specifics about the data the business holds. Naturally, this includes the basics such as the name, address and email held on record. But they can also ask about the organization’s purpose for processing the data, the categories of personal data held, who has access to the data, whether or not it will be transferred outside of the EU, how long it is being stored, if there are any automated decision processes regarding the data and more.
Under the GDPR, the data subject is viewed as being the ultimate owner of the data. As such, they have the right to have control over their personal data and that includes deletion from business data systems. Whether a business operates as a data controller or data processor, the onus is to not only respond but to also comply with such a request. That can cause a number of complexities and problems and if such a request does come through, there are steps a business must take to meet the data subject’s deletion request.
Data Subjects’ Rights
The GDPR grants EU residents a number of fundamental rights regarding their data. One of those — the right to erasure, or the right to be forgotten — is considered one of the more difficult rights to process and manage given both the fluid nature of data and the way in which it is used to power many web applications.
A data subject can request erasure from a data controller and if it meets any of the conditions listed, it must be respected without delay so as to meet the one-month deadline:
- The data is no longer needed
- The subject no longer consents to the processing of their data, despite previously agreeing such
- The subject exercises their right to object to the processing of their data
- Data controllers and/or processors are unlawfully using the data
- Data has a legal requirement for deletion
- The data subject was a child when the data was collected
Additionally, if the data subject’s information should ever become public, the controller must take responsibility and make reasonable efforts to have it removed and deleted from other data processors.
There are some exceptions, though, including compliance measures, legal requirements to hold data, or matters in the public interest such as public health, statistics and research or freedom of expression reasons. But a business must be careful not to use these exceptions in a frivolous manner or as a method for denying deletions requests.
Verify and Delete
Once the data subject makes the request and it is deemed to fit within the GDPR’s stipulations for data erasure, the organization is responsible for removing that data. But before going to the extensive process of releasing or deleting a subject’s data, it is wise to first determine that the request is indeed coming from the actual data subject. That requires verifying their identity.
While a data subject has the right to erasure, processing a fraudulent request and releasing or deleting data from a business system can cause a completely different set of problems. That can be mitigated by adding a step into workflows to verify the identity of the party making the request. Doing so will help ensure that no customer harm is caused by releasing data to a scammer and that customers are not inconvenienced by having information deleted when they did not request it be removed. This can be done through a number of electronic identity verification methods, which can include identity data attributes, mobile and biometric data, and processes for document verification.
This is both a good practice — ensuring that fraudulent requests aren’t processed — and one that won’t put enormous strains on the business or its compliance team. Requests could be plentiful. A Capgemini survey from April 2018 revealed that as many as 57 percent will take action if the organization they are interacting with is not ensuring protection of their personal data.
If that does become the reality, data processors and collectors are going to have to make sure that their handling of deletion requests and verification processes are organized and efficient. With only a month to respond to a data subject’s deletion request, the faster and more automated the process, the easier it will be to comply with GDPR regulations and avoid the associated penalties and fines — which can run up to four percent of company revenues.