Challenging Data Subject Requests

58% of organizations do not use technology to handle data subject requests, and 26% find the searching of the systems the most challenging.
Table of Contents

Data Subject Requests​

Since May 2018, when GDPR became applicable, it has been free for individuals to request access to their personal data being processed by data controllers (GDPR article 15). This, of course, comes at a cost to organizations, as they have had to answer those data subject requests. Most organizations have had an increase in the number of data subject requests they receive in the last five years.

Among other things, the increase is caused by a rising focus on data subject requests as a fundamental right for data subjects as well as a tactical use of access requests in disputes with customers/citizens or (former) employees. The increase in data subject requests is expected to continue in the coming years due to an increased focus on the right to request access to personal data in combination with growing digitalization and the associated increase in the processing of personal data.

Even though the compliance or legal departments often have overall responsibility for handling access requests, they often affect all parts of the organization where personal data is being processed, and this requires significant resources and can lead to high internal costs.

EY Law Survey Data Subject Access Requests

The challenges regarding access requests are underpinned by the 2023 EY Law Survey Data Subject access requests based on a survey from late 2022 in the financial service industry.

The report shows that 39% of the participants in the survey don’t believe that the risks associated with data subject requests are fully understood by the organization. Limited or no understanding of a data subject request causes a higher risk for subsequent complaints (both to the data protection authorities) by the data subjects.

The limited understanding of the risk can lead to mishandling of the access request as an access request, inappropriate scoping of the access request, missing reporting deadlines and inadvertently sharing personal data (constitutes a personal data breach).
58 % of the respondents in the survey do not use technology to handle data subject requests, and 51% of the respondents have received complaints from individuals about their data subject request response.

Respondents to the survey identified the following processes as the most challenging when it comes to responding to data subject requests.

Cookie Information Data Subject Request Tool

Cookie Information has developed a central digital platform for handling data subject requests, which supports you in identifying data about the person requesting access to their personal data across relevant IT systems. The tool scans systems for personal data included in the data subject request. The result of the scanning is a list showing the actual files (including links), what personal data has been found in them and information about when the files were last accessed.

The scanning can be done within the first days after receiving the data subject request, which leaves more time for the next step in the process – the assessment of which personal data should or should not be handed over to the data subject and whether there is any information in the documents with personal data which must be redacted because providing the information to the data subject violates e.g. business secrets or another person’s rights (data breach).

Using Cookie Information’s data subject request tool reduces 26% of what – according to the EY survey – is seen as the biggest challenge in relation to data subject requests. Handling the DSR from a central digital platform reduces the internal resource required by data subject requests because the first part of the data subject request can be handled digitally with little human involvement. A centralized digital platform also reduces the risk of personal data being missed in manual searches.

Digitalization and centralization of the scanning for personal data in a data subject request both release internal resources to pursue other projects (e.g. other privacy assignments which have been postponed due to data subject requests) and ensure that the organization can continue to handle the growing number of data subject requests efficiently going forward. Reach out if you want to hear more about our solution.