Each of the ‘Privacy Fails’ we discuss in this series of short articles are real. They are based on things we have seen at the The Privacy Compliance Hub. They are based on reports from regulators of the complaints they have received; the data breaches reported to them; and the fines and other enforcement actions they have levied. These things do happen. A lot. Don’t let them happen to you. Don’t be a numpty.
The privacy fail
At number one – failing to respond to a subject access request (SAR). Such a failure may be a failure to respond at all; a failure to respond within the given time limit (one calendar month); or a failure to respond adequately to the request.
The requests which individuals have the right to make under the GDPR are as follows:
- the right to be informed;
- the right of access;
- the right of rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object to processing; and
- the right not to be evaluated solely based on automated decision-making and the right in relation to profiling.
A privacy statistic
29% of all complaints made to the regulator in Ireland in 2019 were about responses to (or lack of responses to) subject access requests. This was a similar percentage to complaints under the old laws, but the number of complaints were substantially higher under the GDPR. For example, in 2014 the DPC received a total of around 1000 complaints. In 2019 it received more than 2000 complaints just regarding subject access requests.
Real life example(s) with real life consequences
The Irish regulator (DPC) received a complaint against a healthcare group arising from its refusal of a request for rectification under Article 16 of the GDPR. The complainant alleged that the healthcare group was incorrectly spelling his name on its computer system by not including the síneadh fada, an accent that forms part of the written Irish language. The DPC made a limited order aimed at satisfying some of the complainant’s requests.
A court case arose in the UK where a doctor brought an action against an individual (and a company with which that individual was connected) for failure to comply with subject access requests adequately or at all. The individual had brought a separate complaint against the doctor to the GMC. In the court case, after what must have been a very expensive legal process, the court made an order for production of the personal data sought.
How to avoid this privacy fail
Train your staff to spot a SAR. For example, they may not know that a SAR doesn’t have to be written down. If you have customer support manning phones then they should definitely know this. Your staff should also know that they have to act very quickly. And finally, all your staff need to know who to pass SARs onto for processing. Consider using one email address that all your staff know (firstname.lastname@example.org??). Record all your decisions and your justification for those decisions.
In short, train your staff, have a process that everyone knows and follows, test your process and record everything in one place. This is an essential part of any culture of continuous privacy compliance.