How do requests for the exercise of the rights of data subjects “disappear in the organization”?

Our experience in the area of compliance with GDPR requirements shows that a frequent problem of an organization is to ensure an effective and accountable internal communication channel, e.g. related to the implementation of data subjects’ rights, or reporting and handling violations of personal data protection. These issues in particular relate to organizations with an extensive organizational structure and using the services of many processors.

In connection with the above, the process of exercising the rights of data subjects is verified by us during the implementation of the GDPR Compliance Audit (link to the GDPR AUDIT product). During one such study, we submitted 12 requests on behalf of fictitious people through various communication channels (telephone, e-mail, traditional letter), including:

• Request for the deletion of personal data (Article 17 of the GDPR),
• Withdrawal of consent for marketing purposes (Article 7 (3) of the GDPR),
• Request for information regarding personal data (Article 15 of the GDPR).

In addition, in the audited organization, the adopted procedure in the event of receiving a request for the implementation of the rights of entities was to oblige all employees to forward the received requests of data subjects to the DPO via any communication channel. This method was also regulated in the Personal Data Protection Policy and constituted an important part of the obligatory training courses for employees.

Nevertheless, out of 12 submitted requests, only 4 finally went to the DPO, and the period from the moment they were obtained by the organization to the transfer to the DPO ranged from 3 to 9 days.

Pursuant to the requirement of Art. 12 sec. 3 GDPR, the Administrator, without undue delay, and in any case within one month of receiving the request, provides the data subject with information about the actions taken in relation to his request. Failure to reply to the person submitting the request may expose the Organization to serious problems caused by the violation of the rights and freedoms of the data subject, and, consequently, the initiation of administrative proceedings by the Personal Data Protection Office.

We repeated a similar audit study after a one-year interval and after the implementation of the BPM GDPR platform. This time, out of 12 submitted requests, 12 were sent to the DPO, and the period from the moment they were obtained by the organization until they were handed over to the DPO was a maximum of 24 hours .

Due to the fact that the BPM GDPR platform has no restrictions on the number of users, we give each employee of the organization the opportunity to redirect the request of the data subject to the DPO. The secret of the effectiveness of our solution is the ease and speed of service, while ensuring full accountability and correctness of the process.