Best practices for handling GDPR “right of access” requests
The EU’s General Data Protection Regulation (“GDPR”) entitles any data subject to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, to get access to the personal data as well as to further information, such as the purpose of the processing, the recipients to whom the personal data have been or will be disclosed, the envisaged period for which the data will be stored or the right to lodge a complaint with a supervisory authority (“Right of access”, Art. 15 GDPR).
According to a survey, organisations would spend an average of USD 1’400 to manually process such a data subject access request (“DSAR”), which is also due to the fact that most companies would need two weeks or even longer to respond a DSAR. During a webcast dated 20 January 2021, a panel of experts discussed DSAR compliance challenges and best practices. As stated in a recent article in Compliance Week, these experts suggest to set up a standard DSAR workflow: i) proportional verification of the data subject’s identity when a DSAR is received, ii) to design a proper workflow and iii) to conduct a mapping exercise.