Logging data subjects' requests as part of the 8 rights under GDPR
Following up on last week’s article about timescales, we’ll look this week at the issue of logging requests that come in as part of the eight rights under GDPR. Customers, clients and users exercise most of these rights by submitting a request to the firm holding and processing their data - the right to be informed is more automatic, with the onus on the body collecting the data, and the right to restrict processing can also be triggered as part of the right to rectification.
Vector Graphics by vecteezy.com
Logging these requests is a useful way for firms to both track the progress of individual cases and to demonstrate compliance with the GDPR. As an example, when a customer requests that their data be rectified, the log can be used to record the date of receipt and calculate the date by which the request must be completed. Larger firms may also benefit from additional functionality built into bespoke logs, such as recording the stage of decision the case is at, who the decision maker was, links to documentation laying out the justification for any refused requests, etc. Where requests are received verbally, the log can also form the basis of the documented request.
The log in this example would be able to evidence, at a glance, whether timescales were complied with. Additionally, well maintained logs can be used to collate or record where case documentation is stored, for efficient access should it be required by the supervisory authority. Where complaints relating to rights requests are received, the log can provide valuable information for root cause analysis.
Where logs are maintained for rights requests, firms should ensure that there is a policy in place, clearly setting out company procedure, and ensuring that staff are aware of how to recognise a request, time limits, each step of the process, efficient processing, how to deal with disputed information and their responsibilities under the GDPR. Employees who may receive requests should be well trained, in particular, in the logging of verbal requests. The policy should set out members of staff with responsibility for each step of the process, for example, which member of staff will deal with investigations, and which member of staff has ultimate responsibility for communicating the outcome to customers.
There is an argument that this becomes a bit more complicated with requests for data erasure. The right to erasure, also known as ‘the right to be forgotten’ is the data subject’s right to request deletion of their personal data where it is no longer necessary for the purpose it was originally collected for, or where consent was the basis for processing and the data subject removes that consent. In cases where the request is valid (i.e. it meets the criteria and has been accepted by the organisation), then firms are obligated to ensure that the customer’s data is erased from live and backup systems. The ICO recommends that it is good practice to keep a log of verbal requests – and since firms will need to ensure that they can demonstrate compliance with GDPR, erasure logs should be able to record that the request was received, handled and completed, without containing large or unnecessary amounts of personal data, which the data subject might reasonably object to, given their request for deletion.
There’s an argument that maintaining information in erasure logs does not breach the GDPR. Controllers need to keep logs or registers of requests to be able to document compliance and facilitate any complaints by the data subject themselves or reviews by the ICO. The information contained in erasure logs must be the minimum required to be able to accurately document what happened and when (compliance with timescales) and the justification of any decisions. Whereas logs for other types of requests (e.g. DSAR, right to rectification) can include cross references to documentation held on the data subject (e.g. previous correspondence, previous addresses etc), erasure logs should set out only the information that is needed to be able to prove the request was adequately considered. In such cases, firms would need to be clear with the data subject about this information – what you’ll be keeping, why and for how long – ideally in the same communication about the outcome of their request.