How to respond to Right to Access and Erasure requests from your customers and employees at top speed to stay compliant.
Are you confident your business has the right technology in place to deal with the growth in data access and data erasure requests? Read on to find out how to action all your employee and customer requests with ease on time, every time, to protect your reputation.
Personal data stored on your employees and customers is expanding all the time, pulling alongside ever-more stringent protective regulations, enforced in the UK by the Information Commissioner’s Office (ICO). Although we can clearly reap the business benefits of putting this data to work, it’s equally important to stand back and take stock. Data comes with privacy strings attached.
If you conduct business solely within the UK, you must comply with the UK GDPR and the Data Protection Act (2018). And, if your company works within the UK and the EU and transfers personal data between the two, you must comply with both the UK GDPR and the EU GDPR (2018). One noteworthy difference is the age of consent for use of personal data. In the UK, you must be aged 13-plus to give consent, whereas in the EU it’s 16 years.
Businesses that get a handle on the intricacies of data privacy regulations will gain and maintain the trust and respect of their prospective and existing customers and employees. And ensuring the vast troves of personal data stored on your systems are fully discoverable, so you can find exactly what you need when you need it, is also core for complete transparency and your credibility.
Impact of the UK GDPR Right to Access and Right to Erasure requests on your business
When it comes to protecting personal data, the UK GDPR’s Right to Access (Article 15) and Right to Erasure (Article 17) – also known as Right to be Forgotten – are cases in point. If a previous or existing employee or customer wishes to request access to their personal data in the UK, they can simply send a Data Subject Access Request (DSAR) to anyone working at your organisation. While Right to Erasure – also known as Right to be Forgotten – takes this one step further, handing individuals the right to request complete deletion of their personal data from your records.
In turn, you’re handed the more onerous task of responding to these requests within one month. Regardless of where you’re based, if you offer goods or services to UK citizens, these rules apply.
And as awareness of who’s accessing, sharing, and selling our valuable personal data spreads – and the number of privacy regulations roll out in the UK and beyond – it follows that these data access and data erasure requests will escalate.
So, when you can readily discover and access all personal data stockpiled by your business, you’re much better placed to respond promptly with supporting documentation to hand. This promotes confidence in your company and your brand.
Mounting Right to Access and Right to be Forgotten requests are here for the long-haul
So, what do the stats say? With regards to access requests, research from the DPO Centre shows that organisations receiving 10+ DSARs in the previous 30 days rose from 20% in September 2021 to 27% in December 2021 – and the proportion of data protection officers (DPOs) receiving zero DSARs fell by eight per cent.
Our younger generation is also growing up highly aware of their rights to data privacy. Most DSARs (20%) come from this 18–34-year cohort. As your prospective lifelong employees and customers – and potential future data request subjects – this generational inclination signals even heavier workloads for your compliance teams. Nevertheless, staying on top of data privacy and your DSARs is central to transparency, and this age group’s trust in your organisation.
Are mounting DSARs a cause for concern? If you’re using cumbersome manual methods to process your data access and data erasure requests across siloed teams working from diverse locations, this could become a real headache. Discovering all the data you need to process a Right to be Forgotten personal data request is just as tricky and time-consuming as it is for a Right to Access request. As each DSAR costs an estimated £3,000–6,000 on average, an influx of requests could make a costly dent in your business.
When your profit margins are at stake, prevention is surely better than cure. That’s why research from Squire Patton Boggs is something to consider. Seventy-one per cent of their survey respondents reported a rise in employee DSARs post-UK GDPR, and more than two thirds of these made canny preventative investments for compliance.
By recruiting more staff, implementing new guidelines and procedures, and adopting new software, preemptive measures such as these will scale down the sting of your laborious and costly access requests. Likewise, they’ll lessen the load of your Right to be Forgotten erasures.
Invest in technology to turn the tide on GDPR Right to Erasure and Right to Access requests
When it comes to selecting your new software, ideally you need one simple solution perfectly customised to streamlining each stage of your data access and data erasure request processes. One collaborative and secure platform for all your compliance team regardless of location. Of the 87% of businesses reporting challenges when processing DSARs, Parseq’s research points to three key hurdles:
- Finding and collating data
- Redacting data
- Administrating the request process
Let’s look at each predicament in turn – and find out how an AI technology solution can help your teams process data access (DSAR) and data erasure requests accurately and swiftly to comply with ICO guidelines.
Find and collate all personal data quickly and easily
Not only are data erasure requests ranked the most difficult EU GDPR obligation to meet, but Data Privacy Manager reports that when responding to DSARs (including data access, data deletion, and data rectification requests), more than half (56%) of those surveyed struggled to locate unstructured personal data.
So, whether you’re processing Right to Access or Right to be Forgotten requests, setting up an effective search and discovery solution is essential regardless of your region (EU or UK).
This is exactly where an automated software platform like our DSAR Solution comes into its own. Scouring all your diverse source systems at top speed, AI technology discovers all the personal data you need – structured and unstructured – wherever it’s living. It ensures all instances are captured without fail, even scattered information lurking in hidden forgotten places across your enterprise. An AI-powered search and discovery solution makes finding all your personal data a doddle, so you can process requests with ease.
The best technology platforms will also facilitate data request collections. Serving as a ‘case management system’ of sorts, these enable your teams to speed up the process and meet the one-month response deadline on time, every time, for every request. By automating your search and discovery process, you can also repeat the sequence to verify successful retrieval, and erasure, of all relevant personal data.
Erase and redact all relevant personal data with full assurance
Of course, in connection to Right to be Forgotten, it’s mandatory that all applicable personal data must be deleted from your live and backup systems. Plus, if any relevant data cannot be overwritten, it must be put beyond use.
At this point, it’s crucial your software automatically alerts your request processor to make this deletion of data – and to secure any outstanding data beyond reach – for all your systems for full compliance – and to protect the privacy and personal data of your valued employees and customers.
For Right to Access requests, you must also accurately redact all third-party data for compliance, before disclosing your response to the data request subject. After finding and collating data, redaction is the second biggest hurdle facing DSAR teams. A manual approach to finding and redacting all third-party data is prone to inaccuracies and human error, so an AI-powered solution offers a far more efficient and reliable approach.
Administrate the end-to-end process with complete visibility
Knowing when to process data erasure requests is also key for effective administration, so it pays to be careful of caveats. For example, data erasure requests only apply to personal data held when the request’s received – not future data creation. And they only need to be actioned when the personal data is no longer needed for its original purpose, or when the data subject wishes to withdraw their consent, objects to it being used for direct marketing, believes it’s being processed unlawfully, or believes there’s no legitimate interest in keeping their personal data, for example.
And just because you receive a Right to be Forgotten request doesn’t mean you have to process it. You can refuse it if caveats apply. Regarding Right to Access, the only caveats are ‘manifestly unfounded or excessive’ requests. Regardless, in both cases, your team needs to instantly discover the personal data held on record when the request was received to inform the right response: process or decline.
As your customer service and compliance teams have just one month to make the right decision and take the right steps, speed and collaboration are crucial to review and process all requests. Promptly.
Here, an automated software solution ensures all your data access and data erasure requests are accurately recorded in one convenient place, and accessible to everyone at the same time, supporting teamwork from your customer-facing staff through to your request processors and compliance managers. All this in real time with complete visibility and transparency for effective search, discovery, collation, erasure, and redaction in respect to the exact requirements of each specific request type.
When your data access or data erasure request reaches completion, a pre-programmed alert sent directly to your teams and a secure response notification sent directly to your request subject are the final administrative steps towards achieving your end-to-end process.
This supports employee and customer trust and ensures you meet the tight ICO turnaround penalty-free. You’ve now disclosed the right response to the right request subject with complete confidence and regulatory compliance.
Change the game and take control of your Right to Access and Right to be Forgotten requests
Although running the gauntlet of GDPR Right to Access and Right to Erasure is a tough challenge, ensuring everyone across your enterprise understands and values data privacy, knows how to handle these requests, and is readily equipped with the right technology to process them means you’re taking a powerful preventative measure now, rather than risking costly consequences later.
Confident of the clear benefits AI-powered technology solutions will bring to your business, our expert Aiimi Insight Engine team is always on hand to equip you with the DSAR Solution you need to tackle these processes with ease. Safeguard your personal data, stay compliant, and support strong relationships with your valuable customers and committed employees. Your reputation counts.
Aiimi Insights, delivered to you.
Discover the latest data and AI insights, opinions, and news from our experts. Subscribe now to get Aiimi Insights delivered direct to your inbox each month.
Enjoyed this insight? Share the post with your network.
Vienna delivers an effortless and insightful user experience
Eversholt Rail adopts Aiimi Insight Engine to deliver advanced business insights
Why your remote compliance team needs collaborative DSAR technology to succeed
Packaging up DSARs – automate your supporting documentation for a complete response
Second-stage reviews – automate your redaction, review, and disclosure processes for a consistent DSAR response
Read more on Aiimi Blog
The benefits of data governance in the age of AI: delivering trust, supporting innovation