GDPR - How to process subject access requests and data breaches
One of the key changes driven by GDPR is that individual data subjects have more rights:
- Article 15: Right of access by the data subject
- Article 16: Right to rectification
- Article 17: Right to erasure (‘right to be forgotten’)
- Article 18: Right to restriction of processing
- Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing
- Article 20: Right to data portability
- Article 21: Right to object
Data breaches are something we always aim to avoid however it is important to acknowledge that you cannot guarantee 100% that you'll never have a data breach of some type. Under Articles 32 and 33 of GDPR you need to make sure you have processes in place to deal with data breaches and more importantly ensure you report them to the right authorities and people within the allowed time.
CRM can help you meet your obligations under GDPR - by enabling workflow and businesses process for managing Rights and Freedom Requests and Data Breaches. Let's take a look at how you can create those simple workflows and processes.
Right and Freedoms “Data Subject Access Requests”
GDPR states you must respond to a Data Subject Request within 30 days. Relying on emails, paperwork or spreadsheets to manage these requests can be dangerous and risk the loss of requests or missing deadlines.
CRM can help: you can implement an effective business process in CRM to manage and keep track of all Subject Access Requests. In Workbooks for example, all it takes is a simple workflow to record the entire process of a data subject request to not only ensure you are meeting your obligations but can also evidence this at any point in time.
By logging the request as a Case in Workbooks, you can record who the request is from, which right or freedom it is in reference to, record your attempts to validate the identity of the person and you can apply an SLA (Service Level Agreement). You can then identify which data is involved according to the request and gather the appropriate information to reply. Throughout the process, it is important to communicate with the data subject, firstly acknowledging the request - depending on whether it is a valid request you can accept or reject - and providing on-going communication until you have completed the process and closed the request.
All the information and engagement related to the request is recorded in Workbooks allowing full visibility of the process from start to finish and ultimately measure how the process was handled against SLAs. You are able to document and evidence what has been done when. You can create email templates that acknowledge the request, that request validation of the requestor identity etc. And those could be automated based on the previous action being completed, using our process automation engine.
Here at Workbooks this specific workflow is similar to how our support team handle tickets, using the Case Management functionality in CRM.
Let’s take an example of how a Data Portability Request would be handled using Workbooks. This type of data may have been provided to you by a prospect through a web enquiry form or it could be from a candidate that submitted an application form.
To get started you need to identify how they provided this information to you in the first place, which will enable you to find the data input fields that enabled you to record that information. Once you are clear on what fields you require you can then create a straight forward Person and/orLead report(s).
In this example, we received a person’s information through a free trial form. We identify the data fields we need for the report. In this case it would be First name, Surname, Email, Telephone and Company.
Now let’s consider we have received a request. The first thing that happens is that a Case is created for it in Workbooks CRM.
We must ensure we verify the requestor’s identity. Depending on what information we have received this can be done in different ways, but in this example, we can only use the requestor's email address to do so. We send the person an identity verification request email asking to confirm that the request was originated by them. In Workbooks CRM you can create templates specific to your GDPR workflow, which can be found on the Send Email tab as shown below. This will not only save you time, but you can ensure the correct communication is being sent.
Once they have confirmed their identity, we can then use the report we created previously (from the data fields on the web form) to export the specific data. In Workbooks you can configure this so that it is on a tab in the case record and will only show the data submitted through the free trial form.
It is imperative that we password protect the file before sending it to the data subject. (Note: Do not send the password in the same communication!).
GDPR - Email Templates
Here are some examples of the templates you could use at the different stages in the process.
Below is an example for an identity verification request. In Workbooks CRM you can automate this process even further. You can mail merge fields from the case to ensure the correct information is used. Here we pull the person’s name, type of request and close date from the case (30 days from the request) and this information is automatically populated in the email.
Similarly, to reply back to the person’s identification confirmation we can pre-populate the name and the date we aim to complete the request by from the case.
To send the requested information you could use the below template where you will notify them that the file is password protected and that the password will be sent to them through another channel for example SMS.
Processing Data Breaches in Workbooks
As a business it is crucial to be one step ahead and have a process already in place to deal with data breaches rather than try and figure it out when it happens. We strongly recommend you implement an Instant Management Response process and this can be done in CRM.
We will use an example so you can see how Workbooks can be used to manage this process and make life a little easier for your teams and help your organisation remain compliant.
You can set up an Incident Management workflow which will enable you to record the data breach that occurred, assess the data breach, report to ICO and communicate to the data subject.
In Workbooks you can create a Case record type tailored to a data breach incident.
You will be able to record the details of the data breach in the GDPR analysis section, which will help you decide on the next course of action. As you can see on the record we can track what is our GDPR Data Role, Breach Type, Breach Impact and who we need to communicate the data breach to. This information will ultimately define whether or not you need to report this to the ICO, the data subject or any other party i.e. another Data Controller.
You can also use the KPI’s functionality to ensure you are completing the process within the legal timeframe. Depending on the severity and type of breach you will need to report this to the relevant authorities within 72 hours so this will help you track the process and ensure you are meeting the deadline.
Furthermore, Workbooks make it easier for your Management team to keep track of any GDPR cases with a simple dashboard that tells you whether you have met your SLAs and this can be the 30 days for a rights & freedoms request or the 72 hours for a data breach incident.
We recently ran a webinar to discuss Supplier Assessments, Data Subject Access Requests and Data Breaches and how CRM can help. To access the recording, click here.