GDPR Two Years On | Data subject requests

The European General Data Protection Regulation (GDPR) has now been in force for over two years. In this series of articles we look at some of the topics where practice and guidance has evolved since May 25, 2018. In this article we look at data subject requests, and in particular what issues we are seeing and the practical steps that organizations should be taking now in light of that.

What data subject rights are contained in the GDPR?

The GDPR strengthened and added new rights to those that individuals previously had under the GDPR's predecessor, the EU Data Protection Directive. These rights include: the right to access information, the right to deletion (the so called "right to be forgotten"), the right to rectification, the right to restriction of processing, data portability and the right to object to processing.

What issues have we seen?

In our experience, what has been most surprising for many businesses is the extremely high volumes of requests to access information and delete personal data. These have arisen not only in an employment context – where they are now routine in litigation and used as a fishing exercise in the context of grievance and disciplinary processes – but also by consumers and by customers in a B2B scenario.

Indeed some individuals have been weaponizing the right to access information by making numerous and repeated requests which are malicious and aimed at causing disruption. These can be very difficult for organizations to manage, especially as the regulatory guidance does not clarify the extent to which companies need to respond to this type of request. The challenge for many companies has been to manage lots of requests effectively, meet the tight deadline of one month to respond, and correctly apply any relevant exemptions.

Another issue has been that organizations sometimes fail to recognize requests quickly enough and underestimate how long it will take to respond to requests. There are no formal requirements that individuals have to meet when they make a request, and the proliferation of channels by which companies communicate with their customers, including social media, can make them difficult to spot.

Once a request has been received, it can take time to search multiple locations, systems, equipment and platforms and records that aren't as easily available, in order to respond to a request. After the raw data has been collected, the task of reviewing it, considering exemptions, redacting data and then providing the information in a GDPR-compliant form and format can be extremely time-consuming. This can take companies beyond the one month deadline to respond.
We have also seen the use of third party portals/platforms, which can be used as a tool to make bulk requests, and which sometimes also require organizations to sign up to third party portals and pay a fee to use the portal to respond. Emily Jones, Partner and Head of Osborne Clarke's offices in Silicon Valley notes that "the use of portals is a challenge for companies because it is more difficult to verify the identity of the individual making the request and be certain that the portal is actually acting on the individual's behalf".

What should organizations be doing now?

There are some straightforward steps that organizations should take now to better manage and respond to requests:

1. Review your processes: consider whether there could be any improvements to your internal processes: are the right people in your organization involved in responding to requests? Do they need more training or support, especially in dealing with difficult requests? Most importantly, do all the relevant people in your company know how to identify a request and quickly pass it onto the right person or team?
2. Consider the impact of new technologies: Has the company added new platforms, communications channels or collaboration tools since its processes for managing requests was put in place, which have added to the list of places that a company needs to search in response to a request? Is it easy to filter and search these new systems? Are employees aware that all of the internal notes and instant chat messages they send could be disclosed in response to a request? This is particularly relevant in light of the switch to mass-home working necessitated by Covid-19.
3. Use a template request form: While you cannot force someone to use a standard form, it can be a useful way of more easily recognizing and understanding the request that an individual is making and the type of information that they are requesting.
4. Identify whether automated tools and self-service options could be helpful: Many requests will be routine and could be easily managed using data export and account management tools. This can save time and internal resource, but companies should not forget that use of these tools should still be supervised and reviewed.
5. Use guidance from regulatory authorities: Many supervisory authorities have published helpful guidance and checklists, for example the UK ICO and the French CNIL.

If you have any questions about the contents of this Insight, please get in touch with one of our experts.

This article was written by Emily Jones.