As the deadline approached last year, companies scrambled to update their data protection practices. As it happened, some companies did get fined for non-compliance. Following a long period of adjustment, however, GDPR requirements have become normalised into existing compliance programs.
What many companies were ill-prepared for was the onslaught of consumers exercising their rights under the new regime. Under GDPR, a consumer can file a Subject Access Request (SAR) with an organisation to determine if that organisation is processing personal data concerning him or her, and, if the information has been shared, along with the names of the parties with which it has been shared.
In fact, these are only but a few of the searching questions that the user, as the data subject, can demand answers to. Further, once the SAR has been dispatched to the organisation, it is legally obligated to comply with the request, retrieve the information, and formally respond to the data subject – all within a month.
Satya Nadella calls for global GDPRMajority of companies still aren’t GDPR-compliantThe ramifications of GDPRSubject Access Request
SARs have become a vexing issue for data controllers as they try to cope with the glut of requests by customers. A number of factors are responsible for this:
Firstly, there’s no easy way of determining what constitutes a SAR; the regulation empowers the data subject to make a request in the way he or she deems fit – this can be either a handwritten request, a verbal communication or a digital one, ranging from emails to tweets. Given this lack of structure and standardisation, it’s difficult to identify and segment SARs in a scalable way. Organisations are, thus, at risk of being unable to respond to them on time, or failing to take action altogether. …read more