Privacy Enforcement

7 Things to Remember When Responding to a Data Subject Access Request

The landscape of data compliance is one of the most rapidly changing and important areas of business right now.

Web 2.0 has changed the internet and how connected we are. Companies in Silicon Valley, social media, and all other industries have made it a regular business practice to gather data from their users and customers.

If you work in an industry that collects data, you need to be on the right side of the law and ethics. In this regard, you’ll need to know what is required of you when a user makes a data subject access request.

These requests take place when a user asks the company about how their data was gathered and used.

Here are a few things you need to keep in mind when you have to respond to one of these requests.

1. You Have to Spell Out What Data Was Taken and Confirm That it is Being Processed

These data requests mean that you have to be completely transparent about the nature of the data that you gathered, and will need to confirm that you used data once a request is made.

The last thing you should do is be evasive or untruthful about this practice. Companies are required to let users know in a privacy policy that they are agreeing for their data to be used.

Data Subject Access Request

 

2. Outline Your Purpose For Taking the Data

In addition to letting people know that you used their data, you will also need to let them know why.

There is always a purpose for gathering data, and this typically revolves around marketing or some form of analytics to get to know your customer better. Your response to the report needs to outline specifically how you have used or intend to use the data.

3. Respond to the Request and Let Them Know That it is Being Addressed

Time is of the essence when you are responding to a data access request. It is not only a matter of good business, but you are also required to provide a show of good faith to let your users know that you are taking the matter seriously.

In this regard, be sure to properly document the time and date of the request, and respond to the user letting them know that more information is forthcoming. When you receive one of these requests, the law states that you have a month to respond to it.

4. Explain How Long the Information Has Been Taken

Timetable is everything when it comes to a data request. You need to let your requester know the date that you began collecting the information and how long it has been happening. You also need to let them know how long you intend to use it.

When you have a privacy compliance software package, you can quickly pinpoint these sorts of instances so you can respond accurately and completely.

5. Be Sure That You Comply Transparently and Let Users Make Requests Digitally

Not only should you reply on time, but you’ll also need to be as transparent about the request as you can.

Quote the user’s request back to them so that you’re fully above board about your acknowledgment. By law, you must also allow your users to make requests digitally.

This speeds up the transparency and turnaround times of these requests and puts more options in the hands of your users.

6. Responding to These Requests Has to Come Free of Charge

You’re also required to respond to these requests free of charge. This means that you will have to handle the research, resources, and documentation that is required and foot the bill.

If you’re tempted to charge a fee, make sure you avoid this inclination so that you can stay on the right side of the law and ethics.

By not having to pay for these requests, it sends the message to users that you take their data seriously and won’t put up any roadblocks to making that happen. When fees are involved, it might exclude requests from people who can’t afford it or aren’t willing to pay.

This keeps the entire process honest and is a good faith way of practicing. It allows you to show that you care about protecting users’ data and are willing to openly address any concerns or questions that they have.

Make sure that you have the resources in place to handle every part of the requests so that you don’t have to lose too much time or money gathering information. This is where having the help of a third-party compliance management company will be useful.

These companies will do the legwork of responding to these requests so you don’t have to.

7. Verify Proof of ID Before Responding to a Request

The biggest way you can respect users’ data is asking them to show ID and to verify their identity. This way you are acknowledging the identity of the recipient, and verifying that they are who they say they are before giving out information about their data.

Make sure that the ID verification process is straightforward and simple.

Respond Properly to a Data Subject Access Request

Respecting your users’ privacy is more important than ever in this day and age. For that reason, you’ll need to be diligent about responding to a data subject access request.

When you need help managing data subject requests, our company has the resources that you need.

Get in touch with our team today to learn more about how we can help you.


Author

Dan Clarke
Dan Clarke
President, Truyo
October 14, 2019

Let Truyo Be Your Guide Towards Safer AI Adoption

Connect with us today