Rather than pointing out how well companies responded, we are pleased to present to you with "The Seven Commandments" to consider when it comes to properly responding (or preparing to respond) to data subject rights. We also provide with "Topics Worth Checking", which might help you get ready for new data subject requests. "The Seven Commandments" and the "Topics Worth Checking" have been elaborated based on the current regulatory requirements, as well as the results and trends we observed during the survey.
If you would like to receive more information regarding the survey, what we have spotted or discuss "The Seven Commandments" and "Topics Worth Checking", we will be happy to engage further with you.
For 66% of the requestors it was quite easy to find the DPO office contact details and for 34% the exercise was not so easy.
Put yourself in the data subject's shoes and check how easy it is to reach your Privacy office.
48.5% of the requestors were able to find an email address to reach directly the DPO Office. That means that 51.5% of the sample didn’t take into account the requirement to have a specific and dedicated address for this type of request. Or we can imagine that the address was not easy to find on the website.
Ensure you have a dedicated contact email address for data privacy matters.
19% of requestors never received a response within 1 month of their initial request.
Respect the 1-month regulatory requirement to respond to data subject requests.
45.5% of the sample requested to verify the identity of the requestors versus 54.5% of “no check”.
The regulation requests companies to verify the identity of each requestor by any way. Many companies have chosen to verify the identity by requesting an ID card but others who have not required an ID card as a means of verification, might have cross checked the email address of the requestor and the email address stored in their systems or use one of the following elements:
Client number /User ID
Use of token
Make sure you respond to the data subject and not anyone else.
1 - only the request: 49%
2 - the request and proving my identity: 40%
More than 3: 11%
Process seems to be simple but be careful not to sacrifice security over simplicity.
Do not sacrifice information security over speed of the response process.
1 week or less: 46.8%
More than 1 week and up to 2 weeks: 21.3%
More than 2 weeks and up to 3 weeks: 14.9%
More than 3 weeks and up to 4 weeks: 10.6%
More than 1 month: 6.4%
An important number of companies did not respond to the DSR, thus potentially leading to a complaint at the national data protection authority. Yet, these having responded seem quite fast in doing so: almost half of the companies responded in less than 1 week, whereas 83% responded in less than 3 weeks.
Follow up on the data subject requests and respond within 1 month - or 3 months with a justification.
Phone call: 2.1%
Form on their website: 4.2%
Document to pick up at the company: 4.2%
The preferred communication channel is the email, representing over 80% of the total responses, followed by postal communication.
Use an appropriate secure communication channel when responding to a data subject request.
Certain rights seem to be easier to execute than others: for example, companies executed smoothly the rectification of certain personal data.
Yet, when looking at the right of access, there is a difference between what data subjects expect and what the companies understand when it comes to personal information to receive/ provide.
Know the personal data you manage to exhaustively respond to data subject requests.
Using a tool to respond to data subject requests?
Keeping an updated mapping of personal data across your IT systems?
Updating your register with personal data processing newly created?
Enforcing data retention periods in your systems to limit the effort for responding to data subject requests?
Keeping track of the data subject requests received to continuously improve your processes?
Partner, Regulatory Advisory Services, PwC Luxembourg
Tel: +352 49 48 48 4173