The United Kingdom General Data Protection Regulation (UK GDPR) provides data subjects with numerous data subject rights, e.g. the right to be informed, with the active rights being exercisable against the controller through so-called data subject requests.
Dealing with data subject requests or fulfilling data subject rights is a considerable challenge for many companies. Our practical guide helps you in three concrete steps to respond to data subject requests in a data protection-compliant manner.
How important is it to respond to data subject requests?
A customer who senses a data protection breach, wants to get an overview of the data stored about him or her, or who is simply looking for means to force a discount, can throw an unprepared company into turmoil by exercising one of their active data protection rights (Art. 15 – Art. 22 UK GDPR): Quickly, the threat to complain to the Information Commissioner´s Office (ICO), the UK´s data protection authority, if the feedback is not provided in time or is not satisfactory becomes a real danger. This is because the ICO must take action if a data subject turns to it (Art. 57 (1) (f) UK GDPR).
In the case of serious concerns, it is then only a matter of time until the letter from the authority arrives announcing the upcoming audit of the processing activities or the data protection documents. Those who are still unprepared risk high fines (Art. 83 UK GDPR) and, if necessary, negative public reports. Depending on the industry and the size of the company, both of these can threaten the existence of the company.
To avoid an audit by the authorities in the first place, it is advisable to be well prepared in advance for data protection-related enquiries from data subjects with the help of a reliable data protection management system in order to be able to react quickly and professionally if the worst comes to the worst.
In particular, the following three points should be taken into account:
First, no hasty reactions and information – professional review is required
Enquiries of a data protection nature should ideally be received exclusively via a central data protection e-mail address (e.g.: privacy@mycompany.com). It is advisable to publish such an address in the data protection notice / privacy policy on the website and in all other places where the company fulfils its information obligations (Art. 13, 14 UK GDPR).
Just as the data protection address is often “mistakenly” misused by customers for complaints, product orders and even job applications, many genuine data protection enquiries are also received directly by customer service. Customer service should be sensitised to deal with incoming enquiries, e.g. through on-site or online data protection training and / or a workshop on data protection-compliant customer care.
Under no circumstances should requests be answered “on the spur of the moment” and/or data deleted in order to get rid of the matter. Requests from data subjects should first be examined by the data protection officer or data protection coordinator. The following points should be checked in particular:
- Which legal claim (Art. 15 to Art. 22 UK GDPR) was specifically asserted? Are several claims being asserted at the same time?
- Has the data subject contacted the right company? If necessary, forward the request to the controller.
- Does a defined process (policy) already exist in the company with regard to the asserted right, which can now be followed?
- Has the data subject identified themselves sufficiently or is there a need for an identity check (which should be carried out carefully)? Compare the information provided by the data subject in their letter with that which can be found in the systems.
- Are / were data on the data subject being processed at all? Consult with customer service and / or other areas in which personal data are processed. If there is a lack of clarity despite internal consultation, ask the data subject which data is meant.
- Is the claim justified or is there a lack of justification (especially in the case of a rectification claim)?
- Are all of the person’s wishes covered by the asserted data subject right?
- Would answering the request affect the rights of other data subjects or the company (e.g. business secrets)? If yes: Can / must the request of the data subject request still be met?
- Are there any other legal requirements (e.g. regarding the storage period of the data) that stand in the way of the data subject’s request?
- Within what legal period must the data subject’s request be met?
- Do templates (documents) already exist that can be used to respond to the request?
Second, no unstructured processing – professional coordination is required
Once the justification of the asserted right(s) has been clarified, it is a matter of ensuring that the affected party’s request is answered quickly and in a legally impeccable manner. This regularly requires the involvement of various company departments.
If, for example, the data subject has a legitimate claim to the deletion or restriction of (some of) their data, it may be necessary to involve IT in order to delete or restrict all or selected data records. If the data subject exercises their right to information, the data protection officer or data protection coordinator should consult with all departments in which data relating to the data subject is (or could be) processed. The following arrangements should be made for professional coordination, among others:
- Right of access, right of erasure, right of restriction, right of rectification (Art. 16 to 18 UK GDPR): Easy-to-understand instructions (guidance in set steps) for the data protection coordinator or the individual departments on how a data subject’s legitimate request must be met.
- Right of access (Art. 15 UK GDPR): Template for providing information on data, data recipients, deletion periods, processing purposes, etc.
- Right to data portability (Art. 20 UK GDPR): Implementation of technical and organisational instruments that enable secure data transfer.
- Right of action (Art. 22 (3) UK GDPR): Process for human review of an automated individual decision and the data subject’s point of view.
- Notification obligation in case of rectification or erasure (Art. 19 UK GDPR): Template for informing business partners, contractors and others to whom personal data relating to the data subject have been disclosed in the past. If applicable, template for informing the data subject about the individual recipients.
- Right to object and revoke (Art. 21, Art. 7 (3) UK GDPR): Keep a revocation or objection list in the areas of marketing (“opt-out list”) and, if applicable, analytics, in order to prevent further addressing or analysis of the customer. Ensure that all objections or revocations are forwarded to the responsible department in the company and that nothing is “swept under the table”.
Third, no uncontrolled provision of data – professional communication is required.
The processing of some data subjects’ rights requires the provision of data to the data subject and/or to other bodies. The provisions of personal data is always “risky” and should never be done thoughtlessly – not even if the first and second steps of this guide have been carried out successfully, i.e. the data subject’s request has been legally examined and the necessary measures, such as deletion, correction or the completion of an information sheet, have been taken.
Now it must be ensured that any necessary information of the data subject and/or other bodies is provided in a secure and verifiable manner (Art. 32 UK GDPR, Art. 5 (2) UK GDPR) and that only exactly the data that may be communicated is communicated. The following points, among others, must be observed:
- Right to access (1): Information by telephone only if expressly requested by the data subject. In case of doubt, the company should be able to prove that it has complied with the access request in accordance with the law. In the case of information by telephone, it is not always certain that the person on the phone is actually the person concerned.
- Right to access (2): Use secure encryption technology if the data is to be sent to the data subject by e-mail. If container passwords are used, the password should be given to the data subject by telephone or on a separate channel.
- Right of erasure, right of rectification, right of restriction: Confirmation that erasure, rectification or restriction has taken place. The confirmation of deletion should also be deleted afterwards. If there was no data on the data subject at all (see step 2): Send a so-called “negative information notice” – i.e. the information that no data is stored.
Conclusion: A good process makes all the difference when it comes to data subjects’ rights.
Detailed process descriptions often do more harm than good. With data protection rights, this is remarkably different: Those who prepare their staff well here, by means of training, guidelines, presentations and templates, and clearly define responsibilities in concepts minimise the risk of escalation in communication with the data subject later.
Especially in companies where data protection enquiries are part of the daily routine, it must be possible for these to be handled as independently as possible by the internal data protection coordinators in order to ensure a quick response. However, the company´s or external data protection officer should always be consulted in the event of ambiguities.