GDPR compliance automation: responding to data subject requestsPosted: October 25, 2017
What is GDPR?
The General Data Protection Regulation (GDPR) is a new European legislation intended to strengthen personal data protection for European citizens and harmonise personal data protection rules within the European Union. GDPR replaces the 1998 EU Data Protection Directive and the national laws that implemented this Directive. GDPR becomes the law in all EU Member States without the need for further legislation, though in some areas, Member States are allowed to adopt further specific laws on certain topics, for example, in relation to biometric data and employment data.
What is personal data?
Personal data is defined as any information relating to an identified or identifiable living individual. For example, your name, date of birth, home address, personal email address, your tax identification number, fingerprints, phone number, performance data and medical information are all personal data, but it can also be any combination of data that can identify you.
What rights do individuals have?
The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
You can find out more on the ICO website. Companies receive the majority of requests in relation to the right to access and right to be forgotten.
What is the Right of Access?
A data subject access request is when an individual requests to have access to their personal data stored by the company. The purpose of the right to access personal data is to enable individuals to be in control of their own personal data (e.g. understand what personal data is processed and verify the lawfulness of processing).
All personal data which is being processed will need to be provided to the data subject, with a few exceptions to protect the data rights of other individuals and commercial secrets. In some cases, where the relevant systems provide for this, the right of access can be complied with by self-service by the data subject.
What is the Right to be Forgotten?
A data subject may make a request for the right to erasure, also known as the right to be forgotten. The right to be forgotten applies when: the individual has withdrawn consent, the data was processed unlawfully, or the data must be erased to comply with legal obligation. Only data items are forgotten for which the company does not have a legal basis (e.g. tax, accounting, employment, legal, etc.) or business purpose to retain.
The extent to which data can be erased depends on the nature of the personal data. For example, an employee cannot request that the fact that he or she worked at the company be deleted. When a data subject enacts their right to be forgotten, their personal data needs to be either deleted or anonymised such that it can no longer be linked back to the individual.
How to automate responding to data subject requests
Below is a high-level diagram of the solution that automates the processes that need to be carried out to comply with the regulation.
This includes collecting data from different systems in order to fulfill a Subject Access Request and instructing systems to delete/anonymise data as part of a Right to be Forgotten request.
Process automation requires that asset inventories and data flows are first documented and personal data processing systems are identified.
The solution then integrates with system APIs and orchestrates data subject requests. It allows the operator (data privacy team) to generate a consumable report and carry out necessary identity verification checks before responding to the request. It also enables the operator to customise the report if needed.
This approach ensures personal data is collected or removed from all the systems in scope and accelerates the process of responding to the requestor within the 30-day period.