The GDPR gives every citizen the right to access their data. However, this right is often very difficult for companies to implement. Before you start responding to the request, the identity of the data subject must first be verified. This is important because it must be determined whether the person is entitled to receive information about this data at all.
Identity verification
This raises the question of how to verify the identity of the person concerned in the first place?
One option would be to ask for a copy of the ID, although this route again involves risks. Should a person request from whom you have no data stored, sensitive personal data is stored in your system by the transmission of the ID copy. In addition, it is also difficult to determine whether the ID is fake or not.
Another way to verify identity would be through a videoconference, where the individual holds their ID up to the camera. This process does not store any sensitive personal data, for which the time required is very large. However, it must be expected that many who would like information about their data do not have the technical requirements to make a video chat. These persons also have a right to data information.
The identity must be verified! If this is not done, there is a risk that data will be passed on to unauthorized persons. The result would be a data breach. This not only costs the company money, it also damages the company’s reputation.
Finding the data
Once the identity of the data subject has been established, the data must be located in the various systems. Every company has several systems in use (e.g. marketing, sales, payroll, accounting, etc.) and data must now be read from all these systems. In addition, for data protection reasons, not every employee may have access to every system. Consequently, several employees are immediately busy looking up what data about the data subject is stored in the company.
This may require several hours of work.
But what to do when a whole flood of inquiries comes your way? Austrian Post has shown us how quickly this can happen. One report in the media was enough to flood Österreichische Post AG with inquiries from those affected.
Therefore, you should be prepared for such an incident. With easyGDPR, you can automate your affected party requests and thus minimize your effort. The data subject simply fills out a form with e-mail address, phone number, etc., and the system then verifies the data provided. Once the identity has been established, the relevant data is automatically read from the various systems, a response is generated and sent to the responsible employee for checking. The latter takes another look at the requested data and sends it to the data subject.
It can be that simple if you rely on the right system! With easyGDPR Affected Person Requests, your company is prepared!
Have we aroused your interest? Then contact us! After our discussion, we can send you an offer tailored to your company.
Current case from Hungary
In Hungary, a data subject requested to see documents related to a dispute and, in addition, wanted to have copies of the videos from the surveillance cameras as evidence for a lawsuit. However, the company rejected this because the recordings would not support the data subject’s claims. The company was subsequently fined the equivalent of €3,135.00 by the Hungarian data protection authority for violating the data subject’s right to information. The amount of the penalty in this case makes 6.5% of thecompany’s annual income .