Receiving a data subject rights request can be unnerving if you don’t know where to start, so we have put together 5 handy tips to start you on the path to successfully responding:
1. Diarise and communicate
You have one month from the date the request was received to respond to the request. You should diarise the response date and any changes to this.
Make sure that you promptly acknowledge the request and that you keep the data subject updated. Complaints often arise where the data subject feels like their request is being ignored or that they do not know when to expect a response.
If you need to extend the time frame for responding because the request is complex or you are dealing with multiple requests from the same individual (where an extension by further two months is possible), you must let the individual know within one month of receiving the request and let them know why it is necessary.
Before considering an extension, you should be sure that you understand when a request will be considered complex by the ICO.
2. Check if you need more information to verify the requester’s identity
If you are concerned about the identity of the requester, you can ask for more information to verify their identity. You cannot take a one size fits all approach to checking identity. This needs to be proportionate.
If the individual’s identity is obvious to you, you should not ask for more information. For example, where an employee sends a request from their work email address and follows this with a phone call it would likely be inappropriate to request further information.
However, in less obvious situations, it may be necessary to, for example, verify account details or even request identity documentation. The key is proportionality, considering the data you hold, the nature of the data, and what you are using it for.
The time to respond to the data subject rights request will not start until you receive the information, but the ICO makes it clear that you must request this information promptly.
3. Check you understand the request
Another source of complaints can be failure to properly respond to a request. You should review the request carefully before acting on it and ensure you understand what it covers to avoid wasted time and resources. Seeking clarification from the data subject is possible in some situations.
4. Understand the rights and any situations where they don’t apply or there are relevant exemptions
In order to respond effectively, you need to ensure you understand the scope of the right which is being exercised and when it applies. Not all rights are absolute, for example, the right to erasure does not apply if processing is necessary to (amongst other reasons) comply with a legal obligation or exercise the right of freedom of expression and information.
There are a number of exemptions which may limit the duty you have to comply with the request. In addition, if the request is manifestly unfounded or excessive, you can refuse to comply with it. Again, you should not make assumptions about what these terms mean without referring to the guidance.
5. Log the decisions you have made
You should maintain a data subject rights request log to document the data subject rights requests that have been received and the responses that have been provided.
This is a great way to record and justify the decisions that have been made in relation to the request. You may need this information if the data subject raises a complaint at a later date.
Contact Us
Responding to individuals’ rights requests can be complex, so taking time to really understand the ICO guidance and ensuring you have an effective policy and procedural guidance tailored to your organisation can really help put you on the path to success.
If you would like assistance with updating your processes and procedures to ensure you are in a good position to deal with data subject rights requests when you receive them, please get in touch with us by emailing hello@hellodpo.com