Five Smart Steps to Prepare for GDPR Data Subject Rights

The GDPR states that individuals should have the right to access their personal data so that they are aware of and can verify the lawfulness of its processing. Requests must be responded to promptly, within one month, leaving companies very little time to perform a task that they may not be equipped to handle. The right to be forgotten provision presents similar challenges, giving EU citizens the option to require erasure of their personal information. No barrier exists for citizens to enact these rights, and some countries are planning campaigns to educate the public on them in the coming year. The most operationally complex new data subject rights are:

• Right of Access: EU residents may at any time obtain access to their personal data (what it is, where it is stored and how it is processed) from any entity that houses this information.
• Right to be Forgotten/Right of Erasure: Individuals covered by the GDPR, may at any time require an organization that stores their personal data to dispose and erase their personal data from any and all information sources.
• Right of Data Portability: Data subjects may require an organization to transmit their personal data directly from one controller to another, requiring a company to securely migrate everything containing information on a subject to another provider when processing was based on consent or a contract.
• Right to Restrict Processing: Individuals have a right to “block” or suppress processing of personal data. When processing is restricted, an organization may store the user's personal data, but not further process it and may retain just enough information to ensure that the restriction is respected in the future. Individuals also have a right to not be subject to automated processing or profiling.

Examining what the invocation of a data subject's rights would look like in reality can underscore the importance of this issue. Take the hypothetical example of a medium-sized life insurance company that insures one million customers and must fulfill an average of one data subject access request per insured once every 2,000 years. This conservative estimate equals .05% of one million — or 50,000 requests — per year. Boiling that 50,000 down to the day equals 200 requests per day, or 25 requests per hour for a standard eight-hour work day. Consider the dedicated staff and resources that may be needed to handle such a burden. Organizations in banking, insurance, retail and other industries that involve large volumes of private customer data should realistically prepare for volumes higher than conservative estimates.

Some organizations are responding with manpower — hiring additional staff to churn through incoming requests. Yet, extra resources may not fully mitigate the inherent risks that come with thoroughly and comprehensively fulfilling requests, controlling data leakage or enabling the right to be forgotten. In an already challenging data landscape, where most organizations deal with high volumes of data in many locations, disparate tools, lack of holistic information governance (IG) and a lack of standardized guidelines for GDPR readiness, it's easy to feel overwhelmed and underprepared.