Subject Access Requests, the new weapon.
Following on from our previous article “using Subject Access Requests as a weapon”, we will now look further into the systems to
implemented in tracking and responding to these requests. Although asking companies for information that they may have on an individual has always been available under the old DPA (Data protection Act1998), with advent of GDPR and strengthening of a persons rights, this may now be used with greater frequency to drown organisations in even greater admin.
What is the process for Subject Access Requests?
Subject access request can be made in writing or verbally. It is considered good practice to provide a template, you can not force a data subject to use it. Either way you need to capture the receipt of the correspondence so that a time stamp is generated and the clock starts. You have to respond unless you indicate the request has a degree of complication and requires more time. You can then insist on a form of identification prior to release the information. Already you can see a time sensitive audit trail being generated. If you don’t have a system to handle this workflow, mistakes will happen, either from not responding in time, or missing out information, then you will have to start processing penalty claims as well. See the ICO guidelines for a full list.
Systems for tracking Subject Access requests for GDPR.
With the system we recommend traceability of documents combines with contact management for ease of a communication trail. If you set up a standard email (I.e. subject access@) then the system will sync that outlook inbox with the contact card with the attachment as a live document. The creation of the document can produce a future dated activity to remind staff to respond in time or set future reminders if more information is required. As discussed previously, the same contact management system could generate the report to satisfy the enquiry, document the proof of ID (to make sure the correct information to the right individual, yes that would be data breach if you didn’t check), then email an encrypted email could trace the response done within the timeline. Job done and proof of compliance at the same time.
For snail mail it would be the same process except that you scan the letter into the system and handle the query in the same manner. You could recommend they use a pre defined web portal which would generate it’s own enquiry and follow up activity in the contact card and semi automate the prices from there.
For business wishing to get on top of their process please contact us directly on the email above or for more information see our “Services” page.
Next in the series “GDPR compliant software”.