Exercise of the rights of the data subject – how long does it take?

One of our clients received a request from one of the employees (Mr. X) to obtain a copy of the data collected about him and information for what purposes and where they are processed. At first, the DPO who received the request thought “nothing terrible” and sent a request to all managers of organizational units to send him a copy of Mr. Iksiński’s data and information on which systems and locations his data are processed. It is not difficult to imagine the confusion in the organization caused by this news, and that it absolutely did not help the Inspector.

Time was running out, and the DPO did not know which of the 5 men of X, whose data the organization had, was the person applying for the implementation of their rights, or how to go about their fulfillment. As a consequence, it took 12 days of work to identify the data subject, fulfill its requests and reply. Based on these experiences, we designed the process of implementing the rights of data subjects in BPM GDPR.

It provides not only the possibility of supervising the applications that come to the organization, related to the implementation of the rights of data subjects, but also the unequivocal identification of the applicant. Thanks to the connections built using the register of processing activities, we can efficiently and automatically search for resources (systems and rooms) in which the data of the person applying for the implementation of the right are processed, the activities in which the data of the applicant takes part and the persons who will be able to support the DPO in the implementation of a given rights (resource owners). After identifying the connections, the system will allow us to start the process of implementing the law, directing appropriate tasks to individual people.

The implementation of similar requests, after the implementation of the BPM GDPR platform in the organization, shortened the time necessary to handle the data subject’s request to 1 day.