If you hold personal data, and you lose it by any means, you’re pretty much boned, especially if you weren’t doing a decent job of trying to protect it. If you hold personal data, and you process or use it in a way that you don’t have explicit permission for, you’re pretty much boned, at least on a technical level – if anyone decided to chase you down on it, you’d have very little recourse.
These are the things that two years of preparation and nearly two years (at the time of writing) of the GDPR being ‘in the wild’ have taught us. We’re sick of hearing them, to be honest.
There’s something else, however. Something that’s technically always been there (well, since the Data Protection Act 1998, at least), and that is the rights of an individual to get a complete view of the data you hold on them, from you, on request. They’re called Data Subject Access Requests (originally just SARs), and whilst they’re not completely new, the GDPR brought about some fundamental changes which make them much more of a problem for organisations holding data on an individual.
The changes aren’t massive in terms of the rights that an individual has, but the implications of those changes are huge. In summary:
Historically, charges levied for providing individuals with copies of the data one holds have been used to dissuade all but the most insistent from actually putting a request in. Add to that a much more generous allowance on the time required to respond (basically, as long as you could argue that you were making progress, there was no come-back for each request taking months to be dealt with) and whilst it was technically possible for an individual to get a view of the data being held on them, it was very time and cost intensive.
Not any more. Now, an individual can reach out to you via email, or your web chat, or over the phone, and request a complete copy of all of the data you hold on them. That’s customer records from your ecommerce system, contact details from your email system, any profiles you’ve set up in your CRM related to them. Everything. They don’t have to specify what they want, they can just ask for it all and it’s your burden to find it.
When a request comes in, you’re faced with the following:
There is very little wriggle room when such a request comes in. You can refuse access if it’s an unreasonable request (for example, if the same person requests their information repeatedly) but generally speaking, if you get a request in, you’d better be prepared to deal with it.
And that could be huge. First, imagine if just 20 of your customers dropped you an email today asking for a complete copy of all the data you hold on them, across all of your systems. Even if you have a complete handle on it and know exactly how to find and export all of that information accurately, it’s a big task to do it for 20 people at the same time, especially when you factor in verification of their identity.
And what if, like most people, you’re not ready for this? Do you even know what all of your systems are? Would you be able to quickly export information from those systems in a secure and complete way? What’s your process for verifying their identity?
Imagine trying to dig through emails, CRMs, spreadsheets, marketing systems, customer databases and accountancy systems to find everything you hold on a user.
Imagine actually dealing with it all, and then 5 of those individuals asking for their data to be removed, and another 5 asking for their information to be updated (because it’s highly unlikely all of your systems hold up-to-date information on everyone, if we’re being honest).
Sounds like a nightmare, right? That’s because it is.
If you did your GDPR prep properly leading up to May 2018, you’ll have done a thorough review the systems you use and the data they hold. A really thorough review would have included how you’d handle with DSARs too, as they’ve always been a part of GDPR, but in reality most organisations haven’t been this thorough, and most of the focus on then has been around data security, not access.
So it’s important that you consider it, and put a plan in place. Taking the following steps to ensure that, if a call ever does come in, you’re ready for it:
It may seem like overkill, especially as you’ve likely not had a single request through yet, but you really don’t want to be starting this process under the pressure of a ticking clock when the first request does come in.
If you’d like to talk in more detail about it, hit me up on twitter – @boboshady