The transition to a digital economy has made it possible for businesses to collect an extraordinary amount of personal information quickly. Many organizations store this data, mining it as needed to create new marketing opportunities. Detailed demographics, web browsing habits and purchase history are just a few of the data categories in high demand. A single company often collects information from multiple sources, such as registrations and service requests. Store data by type rather than by individual to find client contact details in one system and customer service records in another. Without a comprehensive process, bringing the data together to comply with data subject access requests can be all but impossible.
The Basics of Data Subject Access Requests
The Data Protection Act of 1998 was designed to protect consumers from the misuse of their personal information. Section 7 of the regulation created specific obligations for entities storing any consumer data. Individuals have the right to submit a Data Subject Access Request (DSAR) to see a copy of the information held by an organization. After receiving a DSAR, companies must produce the following:
- Confirmation that the organizations holds the personal data requested
- A description of the personal data
- An explanation as to why the organization is storing and processing personal information
- Details on plans to share the data with other entities
- A copy of the information retained by the company
- The source of the material held by the organization
In addition, organizations must give requestors an explanation for automated decisions, such as a denial of credit or performance assessments.
When an organization receives a request in writing, it has 40 days to respond. Effective May 2018, the General Data Protection Regulation (GDPR) lowers that time frame to just 30 days. Failure to comply with DSARs simply isn’t an option, as the fines for non-compliance can reach up to 4 percent of a company’s global annual turnover.
The Challenges of Meeting Data Subject Access Requests
Most organizations find themselves scrambling to comply with the law when they receive a DSAR. Without a clearly defined process in place, they face a series of obstacles:
- The definition of “personal information” is broad
- Different departments and systems all hold personal data about an individual
- Systems store information in multiple formats
- There is no standardized format for requests, making verification of identity more difficult
- The use of non-standardized request forms can lead to incomplete data search results
- Companies must compile data into a comprehensible format for the requestor
Finally, organizations must complete all of this before the 40-day deadline (30 days effective May 2018). This deadline to comply to requests rarely qualifies for an extension.
Simplifying Data Subject Access Requests With BPM Software
When you receive a DSAR, your organization’s ability to compile relevant information and return it to the requestor within the required timeframe depends on two elements. First, your company must have a comprehensive data management solution in place, ensuring that you can retrieve the information you need on-demand. Second, your business must have a defined process for managing DSARs to ensure that you address requests promptly and accurately.
Facilitating Good Data Management
BPM software makes it easy to retrieve data by providing a secure, centralized location to store information. When data enters the company through processes automated with the BPM software, specified tables in the connected database stores the data, making it easy to find later. Additionally, you can connect existing databases and legacy systems to the BPM software database to streamline DSAR responses and collect data that was not introduced through automated processes. This resolves the challenges of storing information in a variety of locations and provides a basis for managing data effectively.
High-quality BPM software has other tools in place to allow you to protect and retrieve data easily. Advanced security features permit you to set permissions to protect sensitive information. Adjust permissions based on user or role, ensuring that only authorized individuals have access to confidential data when complying with a request. You can tag documents containing data that pertains to more than one individual, so you do not omit anything when any or all of the relevant parties submit a DSAR. Finally, direct BPM software to automatically delete data from the database after a set period of time. This practice minimizes the amount of personal data being stored, which reduces risk to the organization.
Automating Data Subject Access Requests
With BPM software, you can create a clear process for handling DSARs, beginning with the initial request. BPM software offers solutions for standardized digital request forms, making it easier to collect and verify identification details. Automatically assign cases to a user after receiving a request form to help manage requests promptly. You can also create Service Level Agreements (SLAs) within BPM software to protect the company from risks related to delayed responses and the resulting fines. Assign due dates to tasks within the process and to the case as a whole, simplifying efforts to fulfill each DSAR within the required timeframe.
Through the BPM platform, you can use process maps to gain visibility into the flow of data as well as create workflows to manage and retain audit trails on personal information. The software keeps an automatic audit trail of your attempt to comply with the DSAR. If a response cannot be completed within the deadline, there is a record of the efforts made to comply. You can also leverage your BPM software to create a template for responses. When all personal data pertaining to the request is retrieved, the response is automatically generated and sent to the requestor.
Learn more about making compliance with Data Subject Access Request regulations easier through process automation at ProcessMaker.