Subject. Access. Request. SARs.
Er, pardon me?
When translated from priv-speak, the “Subject” means you and me, and an Access Request is where we exercise our right to ask some basic questions around ‘who has got my data’, why and where it’s held.
In the context of GDPR, allowing for the Right To Access is ground zero, the lowest common denominator, and it has certainly been treated as the Cinderella of many compliance programs which rumbled to a conclusion last year.
7 months on, while processes exist across a range of GDPR requirements, SAR handling has been a bolt-on, and by taking a ‘compliance-driven’ approach, I think many companies are missing a trick. Here’s why:
GDPR articles 13 to 15 specify what information an organisation needs to provide in a privacy statement or on request. Beyond this there isn’t really any guidance to go on, and with nature hating a vacuum, a traditional, paralegal process has become the default for handling SARs.
Typical channels for a SAR are via form on the organisation’s website, phone call or sending email to an account mentioned in a privacy statement. Last year, the Institute of Internet Security and University of the Ruhr in Germany did a ‘mystery shopper’ study on user transparency under GDPR using these methods *
The German study found major differences in how companies handle enquiries, ranging from not responding at all, through simply sending the personal data via email, to requiring (physical) letters which must include a copy of a government-issued ID card and signed affidavit.
Some enquiries required a trail of 13 emails before the company would consider the request ‘valid’, and most were handled by an anonymous individual on the company side. The survey concluded that neither the burden of identity verification, nor the workload on the user were justified for the question asked — “do you have my data?”
At Tap, feedback from users of our GDPR rights app bears this out. Many were asked to send sensitive personal data and scanned ID documents to companies via email or post, and state exactly what information they were seeking before the clock was deemed to have started on the 30 day notice period for requests.
What does this tell us? That it’s not appropriate to roll out the same methods and tactics for SARs as those in the FOI (Freedom of Information) playbook. The people increasingly making SARs are not all ex-employees, privacy activists and investigative journalists.
More often, they may be concerned customers who’ve heard about a data breach in the media, a surprised recipient of marketing from a company they don’t recognise, or someone simply curious about where their data has got to.
The good news is, by freeing access requests from the ‘dungeon’ of GDPR compliance we can start to use them as an important lever in our ongoing Customer Experience strategy.
If companies treat SARs as a ‘data dialogue’, rather than first step in an adversarial process of legal escalation, they will be pleasantly surprised. Most people who receive an adequate, thoughtful response don’t automatically want their data deleted, or take up a complaint with the regulator.
Customers are often content, from an informed basis, to leave things how they are currently, or want to correct their information — they start to do their own CRM on the data held by companies. It’s human nature that memory of how we were treated when we asked a question, or after something went wrong stays with us long after the buzz of acquisition or getting ‘something for nothing’ has melted away.
Written by Gilbert Hill – CEO at Tapmydata – CIPM
Over the next few weeks, we’re going to be sharing more of the data and insights from our own platform to help drive a more balanced discussion around SAR’s, GDPR rights and privacy. Please get in touch if you’d like to know more…
- The Unwanted Sharing Economy: An Analysis of Cookie Syncing and User Transparency under GDPR, 2018