I once had a contract to consult a small firm with an international presence. It had a help desk configured as “follow the sun”: where different teams are placed in geographically distributed locations, so customers can always interact with a real person in real time.
During off peak hours, the company relied on a multi-tenant call centre, where helpdesk staff attend queries from different companies. That call-centre team, considered low risk, had insufficient training to recognise data subject requests (DSARs) and put them in the system, and consequently multiple requests were routinely missed.
This situation is quite common for growing companies that focus on customer service and retention. They do as much as they can to provide round-the-clock support, which is something that happy customers really appreciate. The problem is: when things start going wrong and the customer gets annoyed and starts asking for their data to be deleted, this isn’t always picked up.
Contrary to popular belief, a DSAR does not have to be made in writing, it can also be made verbally. As if there was not enough complexity in covering different channels for requests made in writing, such as letter, email, web form, social media, etc. verbal requests are typically harder to log, trace, and analyse.
Verbal requests are typically harder to log, trace, and analyse.
When a privacy training programme was eventually launched in the small, international firm and the team became well equipped to recognise DSARs, the company found itself in trouble. Staff now had to deal with a heavy workload and short deadlines.
The moral of the story is not to leave any gaps in how you tackle DSARs.
While it is a good first step to provide logical ways for data subjects to make requests, this needs to be combined with coverage of all entry points. You need to anticipate incoming requests from virtually anywhere where there is interaction with customers.
In practice, an organisation can have all of the measures it deems “logical” in place, only for customers to bypass them altogether. This “irrationality” of customer behaviour is a well known phenomena in the world of economics, and seems to be characteristic of our very human nature.
In short, no matter how much organisations try to signpost and orient customers’ actions, consumer behaviour is not always predictable. For DSARs, this means you could miss the deadline of fulfilling the request within one calendar month, and that can be escalated by the customer, ending up in an enforcement notice issued by your local data protection authority (DPA).
Reaching this stage can put your organisation under stress by being in the DPA’s spotlight, especially given that not complying with the enforcement notice is a criminal offence.
To ensure no DSAR goes unrecognised, a three-pronged approach can be adopted to avoid blind spots in your customer-based perimeter and ensure requests are detected, collected, and dealt with:
Have administrative processes in place, with a well-designed workflow.
As a foundation, you should have documentation set in the form of company-wide policies to set the general direction. For the process to be effective, you should have procedures: detailed instructions which must be clear, concise, and set in accordance with the structure of the organisation, its business objectives, and its culture.
Adequate documentation in place is a must have for effective DSAR management, and it shows support and commitment from senior executives. However, usually the hardest part lies in embedding the processes in the business-as-usual running of operations.
Educating your staff on the need for data protection, and embedding privacy values goes a long way towards minimising margins for error and the risks of non-compliance.
Training requirements should not be relegated to a checkbox exercise to be performed annually, often only touching upon aspects that are only related to the specific tasks carried out by your staff.
Training must be relatable and engaging, and result in tangible outcomes that can be evaluated using metrics.
In addition to training, having a set of local work instructions which offer clear guidance can prepare employees to detect DSARs and ensure correct inclusion into the workflow.
Privacy champions can act as the nexus between employees and the Data Protection Officer (DPO) or the Privacy Office, resolving queries on the spot, without the need to escalate.
Having a mechanism for customer requests doesn’t fence you off from them choosing other routes to communicate their privacy queries to you. But while effective training can keep your staff informed of who to forward the requests to, you can also use technology to manage DSARs.
The cool factor of deploying a new tool must be paired with an increase in performance. Correct configuration and maintenance are crucial, but even more so the judicious application of access controls and extra security measures: given the sensitive nature of DSARs, a centralised repository of requests and associated data needs to be protected from attacks and employees without a ‘need to know’.
These three elements are to be applied across the entire organisation, especially where customers may interact with employees, be it the helpdesk, HR, marketing, etc.; not only online and in digital form, but also via physical mail, telephone conversations, and face to face.
Coming back to the organisation with the follow-the-sun help desk, after the big workload and realisation that things needed to be done differently, the company’s leaders applied the training, tech, and processes to avoid future problems and risk of hefty fines. They did so in three steps:
All in all, this resulted in a workflow engine which allowed for a smooth transition between the stages of receiving, processing, and responding to DSARs with no weak links in the chain. All requests were captured, logged, and fulfilled promptly, in budget and on time.
Having the right process and mechanisms in place means no need to divert resources to tackle crises, no fines to face, no reputational impact, and no unhappy customers.