Personal data is precious in Europe, and under the General Data Protection Regulation (GDPR) privacy law, all personal information relating to an individual — even fingerprints — are protected like one-of-a-kind pieces of art.
Since the GDPR was enacted in May 2018, billions of dollars in fines have been levied against companies large and small for breaching privacy and misusing information. Some of the largest targets of GDPR enforcement have been the technology companies Meta and Google, making data protection an equally large business.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a strict set of data privacy laws for businesses that collect data on EU residents. Under the GDPR, businesses are responsible for safeguarding numerous types of personal information, including the customer's IP address, cookie data, home address, and identification number. It was adopted by the EU in 2016 and officially enacted on May 25, 2018.
The GDPR applies to any company that does business in the EU and/or the European Economic Area (EEA) or collects data or information about individuals in those jurisdictions. Each country’s respective data protection authority polices the regulation. The UK also has a similar regulation called the Data Protection Act 2018.
The GDPR covers personal data (any information which is related to an identified or identifiable natural person), including but not limited to:
- Personally identifiable information (PII), such as names, addresses, contact numbers, or email addresses of users, visitors, customers, or members.
- Other personal information, such as political opinions or parties, ethnic origins, sexual orientation, and religious ideologies.
- Health data, such as genetic history, name, test results, emails, and audio recordings or physician notes about a patient.
- Biometric data, such as fingerprints, facial patterns, voice, or even the typing cadence of users.
- Web data, such as IP addresses, browsing activity, names, emails, and credit card information.
The GDPR has served as the model for several other jurisdictional privacy laws, including Japan, Turkey, Brazil, Argentina, South Africa, Kenya, and the UK, and influenced the California Consumer Privacy Act that was approved in early 2018 as well as the more recent privacy laws in 11 other U.S. states to-date.
Punishments and fines for GDPR violations
For general violations, including data security breaches, companies risk being fined up to €20 million, or 4% of the company’s annual profits, whichever is higher. For specific violations, such as those caused by a design flaw or affecting a specific group, such as children, fines can be up to €10 million, or 2% of the company’s annual profits, whichever is higher.
Companies also risk non-financial penalties such as audits, cease-and-desist orders, prosecution, negative news coverage, and reputational risk.
What is a data subject access request (DSAR)?
Under the GDPR, individuals have the right at any time to request that a company share the information that is kept on file about them. A data subject access request (DSAR or SAR) is a request via a physical letter, email or social media, or even an informal verbal solicitation. Anyone over age 16 or as young as 13, depending on country-specific law, can obtain confirmation of digital and physical evidence and even recordings and photographs that captured their protected data. DSARs offer individuals a way to check that their data isn’t being mishandled or misused. It helps companies maintain strict legal compliance and assure their reputation with customers and the public that they are responsible data stewards.
DSARs made on behalf of others
Data subject access requests can be filed on behalf of others, such as an attorney for a client, a parent or guardian for a child, or a friend on behalf of another. However, the organization or company receiving the DSAR can also request additional proof of the relationship between the requestor and the beneficiary of the information. This can add additional time to the request.
GDPR compliance
The GDPR offers eight rights to a requestor:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights related to automated decision making, including profiling.
The GDPR outlines specific methods for companies to be compliant when it comes to public requests for access to information. Starting on the day of receipt of the DSAR, a company has one month — that is, the same date on the next month’s calendar — to respond. No delays are allowed unless the request is complex or accompanied by several other requests from the same individual. Companies also have the right, within reason, to refuse certain requests.
Best practices for handling DSARs
Set up a form for intake processing
The EU offers a data deletion request template applicable for some companies, but enterprises with a higher volume of requests will want to build out an automated and more robust process. Those with highly sensitive information, such as medical records, may want to build in identity verification (IDV) and two-factor authentication.
Create an internal process
It may be helpful to route all requests via a single channel that your team can monitor to ensure that responses are provided within the one-month mandated timeline. All relevant company staff should be fully trained in the DSAR process so that verbal or misrouted requests are escalated properly.
DSARs should include verification of the requestor in situations where the controller has reasonable doubts concerning the identity of the natural person making the request. The request should be clarified if it is unclear and the requested data should be inspected, properly formatted, and finally, accompanied by clearly articulated rights of the requestor to follow up with further requests, such as deletion or a complaint. Requests and applicable responses should also be cataloged and a quality control process should be implemented.
Responses may require redaction if they have the potential to include information on other parties or internal information not related to the original request. Companies should be prepared to handle these specialized responses. Likewise, there will be requests that are time consuming, taking into account the complexity and number of requests and even requiring up to two months’ extension. Requests that are “manifestly unfounded” may be rejected or deemed “excessive” for the organization and are therefore eligible for fees to be passed along to the requestor.
Build a streamlined process for data deletion
Like the other DSAR requests, data deletion is also likely to require human intervention at some stage, though automation is possible, such as via guidance that can be sent to requestors to walk them through the manual deletion process. Some companies automate data deletion upon receipt of specific DSARs.
Handle DSARs for GDPR with Persona
With the size of GDPR fines, remaining compliant with regulatory directives is a top priority that organizations can sometimes struggle to balance against revenue-driving initiatives. Persona puts regulations, responsiveness, and reputation first so you can focus on your core mission and strengths.
Our Cases product can be fully customized to serve as the central dashboard for your team to track, sort, and escalate complex DSAR requests to ensure that your organization responds within the mandatory guidelines of the GDPR.
With our Verifications solution, you can quickly and easily complete initial verification or IDV reviews when requests involve sensitive information. You can also verify the relationship of a requestor to the end user for subject access requests, only gathering the minimum amount of data required under GDPR to comply with data minimization requirements. Our variety of reports allows you to build out a fuller picture of your requestors if required via various database queries. Via the Persona dashboard, you can quickly delete any information that is no longer needed once the verification is complete.
If you use Persona as the repository for your users’ personal information, you may also use our deletion features to comply with a deletion request and provide a report back to the requestor.
All of this can be done with assurance that data continues to remain safe and secure and even deleted as per the GDPR. Interested in learning more? Start for free or get a demo today.