Paying attention to data subject access requests

Morayo, a former employee of Chicant IT Limited, was sacked. Some days later, he hand-delivers a letter to the reception of one of his company’s subsidiaries. He asked for a copy of all his company holds about him from the start of his job. He wants all email correspondence about him from his past three managers and anyone from the HR department. Morayopresents a current copy of his national identity card, employment number and proof of his address.

One of Morayo’s previous managers lost his job at the same time. Another has relocated to Canada with his family. The receptionist was not sure what to do with the letter, so she sent the request via internal mail to her manager who was on leave. The manager sent it to the HR manager who is very busy with laying off other staff. The matter drags on and on. Morayo was not able to get his data within the required period and thinks his former company is doing everything in their power not to release information to him. He knows that there is a timeline within which his company must attend to data subject access requests.

Chiamaka is a customer of a telecommunications company. She has been using that particular company for over ten years. She gets married, changes her name and moves to another address. She calls the telecommunications company to inform them about her change of name and her change of address. She would like the company to update their information about her. She trusts that the telecommunication company will ensure that the data is updated. Some months later, she gets a call from the telecommunication company telling her that they had sent her a complimentary sim and other packages as a loyal customer. She’s surprised and informs the company that she didn’t receive anything.

The customer care personnel at the telecommunication company takes down the note. Asks further questions about it and finds out that someone sent the complimentary sim to Chiamaka’s old address. She apologises to Chiamaka and collects the new address again. The customer care personnel who was employed some weeks ago passes the address to her line manager and asks that the customer’s information be updated. Because there is no process in place, the line manager flags the email as something to do later.

The notion of data subject access request comes with complexity in any business organisation. There will be companies that will get away from this because they have the right structure in place to attend to data subject access requests.

Those companies that do not pay attention to their structure of data subject access request find themselves, like in the case of Chicant IT and the telecommunication company, struggling with the right action to take when it comes to data subject access request.

There is no known practice in the handling of data subject access request because one system can’t work for all businesses. The company’s privacy professional must find a plan that works for the business.  However, there are known standards that any company must follow to ensure that they have the right request methodologies. Again, if the three principles of people, process and technology are employed data subject requests can be easy. First, the people within the organisation must understand what a data subject request looks like, documentation required for authentication during a request, and how should the information be passed onto the data subject. Second, the company should ensure that there is an in-house policy that guides the company on the end-to-end management of the process. And, lastly, to make everything work seamlessly, having a technological tool in place to attend to the complexity of data subject access requests will come in handy and save administrative time for the company.

As companies accrue more information for the day-to-day running of their business, they must begin to pay attention to how they can handle data subject access requests seamlessly.