The European Union’s (EU) General Data Protection Regulation (GDPR) codified data protection rights for its citizens and introduced new rules that organizations had to follow in order to collect and process their data.
Other jurisdictions have followed the GDPR’s lead, such as the California Consumer Privacy Act (CCPA), which outlined privacy rights and obligations to protect Californian consumers.
One of the key facets of these data protection laws is the right for a consumer to access, receive, and delete their personal information from businesses. The process that facilitates users exercising their rights is called a data subject request.
So just what does a data subject request (DSR) entail, how does its process work, and what can your business do to prepare for your own customer requests?
What Is a Data Subject Request?
When it comes to data management, the GDPR actually refers to EU citizens as “data subjects,” and the organizations and businesses that process and use data about data subjects are known as “controllers.”
The regulation gives each data subject the following rights:
- To obtain a copies of data collected by businesses and organizations
- To request changes to their data held about them
- To restrict the processing of their data by businesses
- To have their data deleted from a controller’s holdings
- To receive their data in an electronic format so it can be moved to another controller
The CCPA grants similar rights and, as with the GDPR, formalizes the process of exercising these rights through a DSR process.
Once a controller receives a DSR, they are obligated to “take appropriate measures” to consider each DSR. Additionally, “the controller shall not refuse to act on the request of the data subject for exercising his or her rights.”
What Is the Data Subject Request Process?
The GDPR and CCPA outline a data subject’s rights and the obligations that controllers must meet. But how businesses process DSRs—including the processes, people, and technology—can be unique to that organization.
However, DSR processing generally means a business undergoes one or more of the following processes:
- Discovery. Using the information supplied on the DSR, these are the steps taken by the controller to determine what data, tools, and people are needed to fulfill a DSR. Depending on the organization, it can also specify timelines for when specific steps need to be completed.
- Access. Compiling, preparing, and submitting the information and/or data to the data subject.
- Rectify. If requested, making the necessary changes to the specified data or the information about the data subject.
- Restrict. Modifying the access controls or processing approvals based on the updated consents or data subject requests.
- Export. Delivering the information to a data subject in a “structured, commonly used, machine-readable format,” as required by the GDPR’s “right of data portability.”
- Delete. Permanently removing the specified data.
Simplify Data Subject Requests with Data Compliance Software
If your business just had a handful of customers and plenty of staff members on hand, each knowledgeable in the latest GDPR and CCPA compliance, handling DSRs would be easy.
However, we all know this is nowhere close to the reality businesses like yours face every day.
Luckily, taking advantage of the latest digital platforms can make handling DSRs efficient and easy. In fact, today’s industry-leading tools can make it easy to:
- Consolidate user data collected from across your organization’s enterprise technologies, and organize and process it based on each data subject’s preferences.
- Automate and simplify the processes of updating, deleting, and handling data subject consent and process DSRs.
- Assign tasks to your team to comply with the DSR or create custom workflows to appropriately respond to DSRs.
- Make the process for consumers to initiate DSRs intuitive and simple, boosting trust in your brand.
- Maintain compliance with evolving data privacy regulations, no matter the size and scope of your business.
Make Dataships Your Compliance Go-To
If you believe that your business doesn’t need to worry about the GDPR, CCPA, or any other data privacy regulation that could require you to respond to a DSR, you should think again.
Today’s global economy brings consumers to your digital doorstep from every corner of the world, and each person brings with them the data privacy rights afforded to them by their government.
Fortunately, platforms like Dataships can be tailored to your specific business’s needs and are ready to deliver the full range of data management, consent, and privacy features your team needs to steer clear of the risks of noncompliance.
Sounds too good to be true? See the power of our platform firsthand: Request a demo.