How do I complete a data subject request? 

When a data subject requests to access, amend, or erase their personal data, the data controller is responsible for executing that request.

One of the first steps in this process is locating all of the personal data that pertains to the data subject to process the request. This includes all of the data stored in your company’s internal database, as well as the data stored in external databases for applications that your company may use (e.g., Gmail, Stripe, Vault, etc.). There are a few approaches to fulfilling a DSAR.

How It Works

Some organizations will conduct this process manually. 

  • To prepare for fulfilling DSARs, the data protection officer (DPO) or data controller will identify all of the different applications the company uses where personal data is stored (including employee data) and enter these details into a spreadsheet.
  • Once a DSAR is submitted, the DPO will begin the process of fulfilling the request.
  • Next, a developer (or someone with administrative access to the different systems) will search for the personal data belonging to the data subject.
  • These searches can be conducted by name, email, identification number, etc.
  • When it comes to searching third-party databases, the data controller may have to submit a request to their counterparts at those companies for access to the personal data of the data subject featured in the request.
  • Once all of the personal data belonging to the data subject is identified across all systems, the DSAR can be executed.

Remember, GDPR requires that all DSARs be completed in their entirety, and does not have flexibility for human error. This means the DSAR ought to be conducted painstakingly and with a keen attention to detail so no extra personal data is stored without the permission of the data subject.

TrueVault developed an automated solution to DSAR processing.

Search makes it simpler for companies to manage personal data in a manner that is compliant with data protection regulations, such as GDPR. The functionality of TrueVault Atlas is particularly useful for executing DSARs, without the risk of human error.

  • First, TrueVault Atlas is loaded. The compliance officer, or whoever is executing the DSAR, will type in the email address belonging to the data subject.
  • Next, TrueVault Atlas combs different databases, both internal to the company, as well as those that are auxiliary, for personal data associated with the data subject filing the request.
  • Once the personal data is located, TrueVault Atlas creates a data subject profile, which summarizes demographic information about the data subject (e.g., first/last name, address, etc.).
  • The profile goes a level deeper to search for records that refer to the data subject by his/her identifier. This could include behavior data, messaging that references the particular data subject, and more.
  • Once the data subject profile is loaded, the DSAR can be executed with ease.
  • Once the DSAR is executed, the controller can pass the information the data subject had petitioned for to the appropriate party, or amend and delete the personal data as requested.

Search also includes a DSAR tracking feature, which helps the DPO monitor the progress of executing a DSAR against a countdown clock, which begins as soon as the DSAR is filed and counts down to 30 days. Also, DPOs can feel confident that all the personal data belonging to the data subject has been identified. Our product creates fewer opportunities for human error, reducing the risk of mistakes that could botch the process, thereby limiting your company’s risk of breaching GDPR.

Real World Example: Spreadsheets vs. TrueVault Atlas

The Situation

A data subject (Hanna) submits a DSAR to your company (ACME Company). Hanna would like to receive an electronic copy of all of the personal data ACME Company may have collected (Article 15, Right to Access) over the years.

Hanna is a long-time client with ACME Company, so you know that there is a wealth of personal data related to the DSAR that is stored in your company’s internal database as well as across multiple applications that are integrated with your company’s API. Stefan, the lead developer for ACME Company, is charged with processing DSARs because he has administrative access to multiple platforms that store personal data. He is managing DSARs until a full-time role for this duty is filled.

The Problem

As the lead developer for ACME Company, Stefan has a number of competing responsibilities, including engineering a new product, leading a team of developers, and now fulfilling DSARs within one month of their submission.

Fulfilling DSARs is incredibly time consuming, because it requests authenticating the identity of the data subject; locating where their personal data may be stored; submitting DSARs to third-party applications that may integrate with ACME Company; aggregating this personal data into a report; and finally, executing the DSAR, whether that involves accessing the data, amending the data, or erasing the data entirely.

Stefan’s supervisor, Mila, is assigned as the Data Protection Officer for ACME. Mila is charged with ensuring ACME maintains compliance with GDPR, but cannot directly interact with data processing activities. Instead, she checks in with Stefan to ensure that DSARs are executed within the one month time frame articulated in the Regulation.

The Solution: TrueVault Atlas

There is no current best practice for executing DSARs in a manner that is replicable, comprehensive, or free of human error. Instead, there is an enormous administrative burden to fulfill DSARs for data processing companies like ACME.

Stefan will be spending a lot of time going through spreadsheets categorizing where personal data is stored, the types of personal data stored, and the identifiable individuals featured in different personal data records. He may even be forced to connect with his counterparts at different companies (e.g., Stripe, Salesforce) where personal data records are stored on behalf of ACME. The administrative lift required to fulfill Hanna’s DSAR in a one month period is intensive, particularly without a tool that can automate some of this process.

By using a personal data management tool, such as TrueVault’s Atlas, fewer resources need to be deployed to execute every DSAR submitted to ACME. Now, Stefan needs to simply: load TrueVault Atlas and type in Hanna’s identifying details (e.g., her email address used to log in to ACME). Once submitted, TrueVault Atlas will review ACME’s personal data inventory across multiple databases, both internal and external, to load a comprehensive data subject profile about Hanna. Stefan can then export the data subject profile in an easy-to-read .csv or .txt format, and securely send it to Hanna.

While Stefan is executing Hanna’s DSAR, Mila (the DPO for ACME) can monitor progress on this particular DSAR using the TrueVault Atlas Tracking Feature, which allows the DPO to monitor what tasks have been executed and what tasks are outstanding in processing a DSAR, against a countdown clock that begins as soon as the DSAR is submitted.

Get started with our GDPR Checklist. 

Download the GDPR Checklist

 

Disclaimer

This article is provided for general informational purposes only and is not intended to be legal advice.  By using the article, you agree that the information on this article does not constitute legal or other professional advice. The article is not a substitute for obtaining legal advice from a qualified attorney licensed in your state. The information on the article may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.