No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

4 Steps to Streamline Data Subject Requests in 2019

by Brendan Gilbert
January 8, 2019
in Data Privacy, Featured
padlock protecting personal information

How to Improve DSR Processes

Data subject requests (DSRs) are a complex and often confusing challenge under GDPR. This article, from data privacy and IG experts at FTI Consulting, discusses ways to streamline DSR operations and ensure they don’t overwhelm legal and compliance teams.

with co-authors Nina Bryant and Tom Hiney

It’s a new year, bringing the excitement and potential that every new year brings. Fresh opportunities, clean slates, hope for successful resolutions. With the end of 2018 and the ringing in of 2019, it’s likely that your organization has been immersed in reflection of successes and shortfalls, as well as planning for the year ahead. In governance, risk and compliance, a significant portion of these musings will center on the General Data Protection Regulation (GDPR) and assessing how and to what extent the regulation will impact your organization moving forward.

The issue of data subject requests (DSRs), is a key area under GDPR that teams should be examining closely. Some organizations have already experienced their initial DSRs. If your organization is one of them, take a moment to breathe, or, depending on how the response went, allow yourself one more drink before your post-holiday detox. Fulfillment of a DSR means the organization has accomplished something new and possibly very difficult, especially if the request came from a former employee or long-time customer.

Whether the process was conducted smoothly or not – or your organization falls in the category of those who have yet to see their first DSR – the new year is an apt time to evaluate processes and improve efficiency. This includes revisiting broader information governance frameworks and implementing steps to streamline processes so that as requests flow in through the year, legal, compliance and privacy teams are not overwhelmed by them. Below are four steps to identify opportunities, mitigate regulatory risk and improve DSR processes:

1. Review DSR Intake

If a DSR has already taken place, consider whether it was recognized and routed as expected. If the organization did not anticipate the methods of service or recognize the DSR, a thorough review of the intake setup and training for employees who are expected to receive requests should be conducted. Teams may consider privacy policy updates, new scripts or training for business units found lacking in preparation. It is important to note that not all requests will mention the related legislation; therefore, teams must be able to recognize them from the outset.

2. Close the Feedback Loop on Unexpected Data

To swiftly respond to a DSR, the team must be able to find personal data across the enterprise, from all sources. In many cases, unstructured data discovery tools are useful in enabling teams to quickly find what they are looking for across sources. Data may reside in the cloud, at the bottom of a data lake, in emails/attachments, in audio files, as hard copies or on IT assets not known to exist (i.e., shadow IT). The team should assess risks and controls associated with data, including where personal information should be stored, if this should be included in the data lake in the first place, access controls around that data, how to retrieve items quickly and what remediation or disposal efforts are needed. Any data that is redundant or stored beyond set retention periods should be identified and deleted. If during a DSR response, data are found in any unexpected place, ensure processing and application registers are updated or data remediated and consider how to apply more rigorous processes in the future. Regulators cannot be expected to be lenient with organizations that fail to follow best practices on data retention and disposal.

3. Be Prepared for Complex Situations

Requests can come from a disgruntled employee as a prelude to a lawsuit, by other parties to weaken the organization in the face of other disputes or on data that is under legal hold. Any number of challenging scenarios are bound to arise and potentially influence the DSR response. The team must know ahead of time how it is going to deal with challenges and uncharted waters. Often, outside counsel or other experts can be helpful in streamlining legal hold process, addressing co-mingling of personal data and establishing defensibility around retention of data that was kept for investigations, legal holds or other regulatory reasons. They can also help the team find information residing in difficult-to-access locations, such as backups, and segregate it when possible.

4. Practice Timeliness

The GDPR states that organizations must respond to DSRs within 30 days, and the life cycle of the request must also be documented. Teams should be consistently aiming to reduce response duration and avoid running up to the full 30-day timeframe. In cases where this is not possible, the organization should have a framework in place for reaching out to data subjects to request more time when needed. Forecasting the number of requests expected and allocating appropriate resources is an important step. Any combination of internal and external resources may be needed to ensure DSRs are appropriately prioritized and can be fulfilled in a timely manner.

DSRs can easily overwhelm an organization and may prove to be among the most difficult GDPR requirements to operationalize. They can hit at any time, from any data subject, and in any volume or level of complexity. The new year is a prime opportunity to build repeatable processes to deal with DSRs. Teams that that do so and implement learnings from successes and failures will be in a much better position to achieve compliance with data protection laws.


Nina Bryant is a Director at FTI Consulting in London and an expert and thought leader in Information Lifecycle Governance and Privacy. She is experienced at leading global programs to assess compliance with legal and regulatory requirements and developing and implementing solutions to reduce risk, drive cultural change and exploit the value from data and information.

Tom Hiney is a Senior Consultant at FTI Consulting, focused on GDPR compliance and implementation, HIPAA risk and gap assessment, privacy consulting, data governance consulting, project management, customer development and more.


Tags: GDPR
Previous Post

The Secret Reason You’re About to Fail Your IT Audit

Next Post

Shared Assessments Introduces 2019 TPRM Toolkit Updates

Brendan Gilbert

Brendan Gilbert

Brendan Gilbert is a Director at FTI Consulting and provides assessment and advice on data privacy issues and adjacent areas, such as ensuring compliance with privacy law and regulation; the data privacy implications of planned corporate changes; information security compliance and crisis response; and privacy audits.

Related Posts

gdpr

UK Resurrects Data Protection Reforms, EU Court Rules on GDPR in Civil Cases

by Jonathan Armstrong and André Bywater
March 15, 2023

Recent courtroom and legislative action in Europe will likely have ripple effects around the world for companies subject to regulations...

eu flag

Preparing Your Company for the Latest GDPR Data Transfer Developments & Upcoming Deadlines

by Kevin L. Coy
November 30, 2022

An EU court decision and legislative moves in the U.S. and UK make compliance with privacy regulations increasingly difficult. Arnall...

minidata_b

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations...

uk ico data access

UK’s Data Protection Regulator Signals Crackdown on Access Request Violations

by Jonathan Armstrong and André Bywater
October 5, 2022

Data privacy laws in the EU and UK established the right of individuals to find out what personal information organizations...

Next Post
third party management

Shared Assessments Introduces 2019 TPRM Toolkit Updates

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT