PRIV- 7 Data Access Requests

What is this control about?

Implementing the control for ‘Data Access Requests’ is crucial for organizations to ensure compliance with data protection regulations and safeguard individuals’ privacy rights. The control involves establishing a systematic and well-defined process through which individuals can request access to their personal data that an organization holds.

Available tools in the marketplace

Tools:

PrivacyEngine WiredRelations

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• Data Access Request Procedure Template

Control implementation

In general, you should implement a mechanism such as a link or a form for your users to request their data. This mechanism should be made available on the website. Here are some guidelines to implement a mechanism for Data Access Requests:

• Understand Data Protection Regulations: Familiarize yourself with the relevant data protection regulations, such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). Understand the requirements for data access requests, including response timelines and data subject rights.
• Design Data Access Request Procedure: Develop a clear and comprehensive procedure for handling data access requests. This procedure should outline the steps to be followed when receiving, verifying, and responding to requests, as well as how to handle any potential challenges, such as verifying the identity of the data subject.
• Assign Responsibility: Identify the personnel responsible for managing data access requests. Designate a Data Protection Officer (DPO) or a team to oversee the process, ensuring there is accountability and clear ownership.
• Educate Staff: Train relevant staff, including customer service representatives, IT personnel, and others who may be involved in receiving and processing data access requests. Ensure they understand the importance of privacy and the proper procedures for handling such requests.
• Establish Communication Channels: Set up dedicated communication channels, such as an email address or a web portal, for data subjects to submit their access requests. Ensure that these channels are easily accessible and prominently communicated to customers.
• Verify Data Subject Identity: Develop a robust process to verify the identity of data subjects making access requests. This may involve requesting additional information or documentation to ensure the request is legitimate.
• Document Requests: Maintain a log or register to track all data access requests received. Document the date of receipt, the nature of the request, the actions taken, and the response provided.
• Respond within Timeframes: Adhere to the regulatory timelines for responding to data access requests. Typically, organizations are required to respond within a specific period, such as 30 days.
• Provide Access to Data: When responding to data access requests, provide the data subject with access to their personal data in a clear and understandable format. Ensure that any third-party information is appropriately redacted to protect the privacy of other individuals.
• Maintain Audit Trail: Keep an audit trail of all actions taken in response to data access requests. This includes any communications with the data subject, any changes made to their data, and any disclosures made to third parties.

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action:

1. Provide the Data Access Request Procedure
2. Link to the Data Access request form
3. Data Access Request Log
4. Example of response record

Evidence example

For the suggested action, an example is provided below:

• Provide the Data Access Request Procedure

Use Data Access Request Procedure Template

• Link to the Data Access request form

• Data Access Request Log

Screenshot source

• Example of response record

Screenshot source