Is the board listening? We all know that GDPR will be enforced from 25th May 2018, but is your board aware of their new privacy obligations? While there is substantial GDPR coverage in the technical press, has the message got through to senior management? Are their preparations adequate?
In January, during the ICO hosted webinar ‘Personal data and the GDPR – building consumers trust and confidence’ a spokesman said that later this year, on 8th April, the ICO will announce their key communication messages ‘that help bring the GDPR to life in a practical and proportionate way to UK citizens ‘. So like it or not, public awareness of their rights and freedoms is starting soon.
One of the privacy obligations that management will need to provide for, is the obligation to allow data subjects access to their personal data. The GDPR states that the reason for this obligation is ‘in order to be aware of, and verify the lawfulness of the processing’ (Recital 63).
What’s new with DSAR’s versus SAR? There are 3 key changes between the existing Subject Access Request of the Data Protection Act and GDPR DSAR. These are:
Take a look at our blog post on how managed file transfer can help with the requirements of the GDPR.
Supervisory Authorities across Europe will be highlighting new privacy rights – these awareness communication programmes targeted at EU citizens (such as the UK ICO’s mentioned above) will undoubtedly lead to increased demand for DSAR handling.
Fee’s for DSAR are dropped- the absence of any fee’s on the data subject’s part may prompt some citizens to submit DSAR’s whenever they are disgruntled with an organisation. This may create administrative pressures which may be burdensome and may make meeting the 30 day processing requirement unachievable.
DSAR volumes may be difficult to predict- the number of DSARs will be hard to forecast. If volumes are substantially higher than the current SAR requests additional resources will be required
Avoiding Administrative fines by Supervisory Authorities – If DSARs are late or incorrect, the data subjects will have the right to approach the Supervisory Authority to complain. Depending upon the circumstances this may initiate an administrative fine.
Permission for 'Class like' actions’ – it will be possible for data subjects to work together on a joint action.
Organisation’s should consider the following when setting up their DSAR processes:
DLP Assured Ltd are specialists in governance, risk and compliance having worked in the industry for decades. If you have concerns about your adherence to the GDPR and your ability to conduct DSARs, take a look at their solution, GPRC Hub.
GPRC-Hub is a cloud based Governance, Risk and Compliance system that is designed to help staff engage with an organisation’s information governance programme. The system provides a range of services to automate and simplify governance tasks.
Would you like a short solution tour of GPRC Hub? Book a demonstration with us today.