Educating Employees on Data Subject Rights – Data Privacy Manager

Data subject rights are one of the cornerstones of the General Data Protection Regulation, which is why violation of any data subject right provokes the highest penalties of up to €20 million euros, or up to 4 % of their total global turnover.All the more reason to conduct education and awareness training that covers the subject, not only to avoid fines but to extend beyond basic compliance and cultivate a culture of responsibility within the organization.Organizational ReadinessOrganizations are sometimes overly confident in their readiness to respond to requests for access, rectification, deletion, data portability, restriction of processing, and objection.This overconfidence often means underestimating the complexities of handling these requests properly and the necessity of educating employees to identify and respond to them effectively.The Importance of Employee Education on Data Subject RightsLack of proper training for employees can create challenges in the initial stages of request submission. Even with all other processes in place, efforts can be futile if employees are not trained to recognize the requests.All relevant employees should be trained to recognize requests, initiate the handling process, verify the requestor’s identity, and process the request correctly. Regular training ensures the organization’s responses comply with data protection laws.Regulatory Compliance: Understanding data subject rights is essential for compliance with GDPR and other data protection regulations. Non-compliance can result in significant fines and legal repercussions.Customer Trust: Customers are more likely to trust businesses that respect their data privacy rights, leading to increased loyalty and brand reputation.Risk Mitigation: Educated employees are less likely to make mistakes that could lead to data breaches or non-compliance incidents.Operational Efficiency: When employees understand data subject rights, they can handle data-related requests and issues more efficiently, reducing the burden on legal and compliance teams.First Steps in Handling Data Subject RequestsEmployees need proper training to understand what is considered personal data, how requests can be submitted, who to notify within the organization, the timeframe for responding, and how to communicate with the individual regarding their request.This doesn’t mean they will be fulfilling the request from a technical perspective, but there has to be a certain playbook they can follow, and they need to understand the next steps.From there on, organizations need to know where the data is located, understand which personal information they hold about the individual, and respect the timeframe for responding, which is typically 30 days from receiving the request.Identifying Data Subject RequestEach of the data subject rights is equally important and highly complex. It is an individual’s prerogative to demand that those rights be fulfilled without providing reasons for submitting them.Data subject requests can be made verbally or in writing, through any channel, including social media, and to any person inside your organization. The request does not have to mention GDPR or specific rights as long as it is clear what data the subject is requesting.This can be challenging since all requests sent to your organization to any employee are considered valid, so there is a high possibility that employees working in different departments (like marketing) will need to be able to recognize the request and take the next steps.That is why it is important to understand which departments could encounter such requests and educate them on how to respond and react when such a request comes their way.Types of Data Subject RequestsThere are eight data subject rights, which we discussed in more detail in our blog: What are 8 Data Subject Rights according to the GDPR? We will just briefly mention them. 1. Right to be informedThe right to information allows individuals to know what personal data is collected about them, why, who is collecting data, for how long, how they can file a complaint, and if data sharing is involved.2. Right to accessIndividuals have the right to make access requests and obtain information to find out if their personal information is being processed.The organization must then provide a copy of the personal data they hold about the individual, along with any additional relevant information.3. Right to rectificationThe right to rectification enables individuals to request that the organization correct any inaccurate or incomplete data they hold about them.If the organization confirms the data is incorrect, it is legally required to respond to the request within one month. Upon receiving such a request, the organization must verify the inaccuracy and rectify the data.4. Right to erasure (right to be forgotten)The right to be forgotten, also referred to as the right to erasure, grants individuals the ability to request the deletion of their personal data:When the personal data is no longer necessary for its original purpose.When the individual withdraws their consent for processing.When personal data is unlawfully processed.When the individual objects to the processing and there is no legitimate reason for continued processing.When data erasure is necessary to comply with EU or national law obligations.5. Right to restrict processingIndividuals have the right to request that an organization restrict the use of their personal data, even though the organization is not obligated to delete it outright.Once the data is restricted, the organization cannot process it unless it obtains consent, requires it for legal claims, or needs to protect the rights of others.6. Right to data portabilityData portability enables individuals to receive their personal data from an organization in a structured, commonly used, and machine-readable format.Moreover, individuals can request that this data be transmitted directly to another organization. However, this right applies only to data individuals have provided to the organization by consent or under a contract and where the processing is automated.This right also extends to data concerning an individual’s behavior, encompassing search queries, location data, browsing history, and similar information.7. Right to objectThe right to object empowers individuals to challenge the processing of their personal data at any time, under specific circumstances determined by the purpose and legal basis for processing.8. Rights related to automated decision-making and profilingThe right not to be subjected to automated decision-making, including various forms of profiling, such as economic status, health, personal preferences, interests, reliability, behavior, or location, especially when such processing has a substantial legal impact on them.Practical Application1. Recognizing and Handling Data Subject RequestsData subject requests encompass various rights such as access to personal data, rectification, deletion (‘right to be forgotten’), data portability, restriction of processing, and objection. To effectively handle these requests, organizations should:Establish Clear Channels: Setting up dedicated channels (e.g., email addresses or privacy portals) will help you centralize and monitor requests. While data subjects can submit requests through any channel, establishing dedicated channels remains beneficial. These channels serve to streamline intake processes, ensuring requests are promptly recognized, categorized, and responded to according to regulatory requirements.Training Personnel: Educate relevant staff (e.g., customer service, IT support, marketing) on identifying data subject requests. Training should cover recognizing valid requests, understanding different rights, and reporting or escalating requests as needed.Automate Processes: Privacy software offers easier orchestration and management of data subject rights. It automates the entire process so that the IT systems where the data is stored can execute user requests timely. The process becomes an automated workflow, giving you clear insight from the registration of a user request through the process of the request approval and data processing to the notification of the user about the outcome of the request.2. Verifying the Identity of the Data SubjectVerifying the data subject’s identity is critical to prevent unauthorized access to personal data. Effective procedures include:Verification Methods: Establishing robust methods for verifying the data subject’s identity, such as requiring specific forms of identification or using multi-factor authentication (MFA) for online requests. DPM Privacy Portal is a self-service interface that gives customers control over managing their requests. It is simple and highly secure access to their requests, allowing organizations to keep them in check.Documentation: Maintaining clear records of the verification process ensures accountability and compliance with data protection regulations. This documentation should include details of the verification steps taken and any challenges encountered. This can also be tracked via specialized privacy software like DPM, keeping everything in one place for tracking progress and audit purposes.Data Minimization: Collecting and processing only the necessary information to verify identity minimizes the risk of unnecessary exposure of personal data during the verification process.3. Ensuring Timely and Accurate ResponsesTimely and accurate responses are crucial for maintaining transparency and trust with data subjects. Key steps include:Internal Coordination: Establishing clear lines of communication and responsibilities within the organization ensures that requests are promptly routed to the relevant departments for processing.Data Discovery: Identifying all relevant personal data across different systems, databases, and storage locations within the organization. This involves understanding data flows and mapping where personal data resides. Using state-of-the-art data discovery helps prevent false positives, uncovers shadow processing and dark data, and allows you to automatically search for personal data across all IT systems. For example if you receive request for data deletion, you can detect all personal data you have about an individual and go forward with the request.Response Timeframes: Adhering to regulatory requirements for responding demonstrates a commitment to data protection principles. Organizations should have mechanisms in place to monitor response times and escalate unresolved requests as necessary.Quality Assurance: Implementing quality assurance processes, such as reviewing responses for accuracy and completeness before finalizing them, helps ensure that data subjects receive comprehensive and correct information in their responses.By focusing on these practical aspects of handling requests—recognizing and categorizing requests, verifying identities securely, and ensuring timely and accurate responses—organizations can effectively meet their obligations under data protection laws while fostering trust and accountability with data subjects.Who is Responsible for Responding to RequestsDepending on whether a Data Protection Officer (DPO) is appointed or not, different roles within an organization can be responsible for responding to requests.Not all organizations are required to appoint a DPO. However, they are still obligated to respond to the requests, meaning they need a designated employee responsible for overseeing and responding to them.Data Protection Officer (DPO) – While the DPO might not handle the actual tasks of collecting and redacting data, they supervise the response process and ensure compliance with GDPR requirements.Designated Employee – Ideally, this employee would understand data protection laws and compliance requirements. However, it would be advised to provide additional training and education from the data protection field to ensure compliance.Handling Data Subject Requests with Privacy SoftwareManaging Data Subject Requests (DSRs) can be a challenging task for any organization, demanding significant time, resources, and attention to detail. That is why automation can be a key differentiation in critical situations and help you monitor requests in your daily operations.DPM Data Subject Request is a module for orchestrating and managing data subject rights. It automates the entire process so that the IT systems where the data is stored can execute user requests in a timely manner.The process becomes an automated workflow, giving you clear insight every step of the way, from registering a user request through request approval and data processing to notifying the user about the request’s outcome.Most importantly, the Module represents one central place for the supervision of requests and provides DPO with all the information necessary for managing requests within the limits of the response date.