Introduction
As a legal requirement and best practice, managing data subject rights is crucial to the success of any organisation processing personal data. Respect for the rights of data subjects builds trust in your organisation and compliance with relevant data protection laws. However, many organisations struggle with implementing an effective data subject rights management system. This article provides practical insights for building an effective data subject rights management system. Our article on building effective data subject rights management procedures under the Nigeria Data Protection Act (NDPA) will be useful for organisations operating only in Nigeria.
The meaning of data subject rights and why they need to be protected
Data Subject Rights (DSR) are the legal rights created by data protection laws that individuals possess over their data usage. They guarantee individuals' control over the processing of their data. An effective response to DSR naturally arises from organisations' processing of personal data and serves as the foundation for effective data protection, bridging the gap between theoretical concepts and practical implementation. Examples of DSRs include the right to access data, rectification, object to processing, restriction of processing, and the right to erasure if the original purpose for collection has lapsed. These rights are found under Part VI of the Nigeria Data Protection Act, the legal framework for these rights.
Moreover, the obligation of organisations to facilitate these rights is not just a legal requirement but an inherent responsibility. However, these rights are not absolute, as data controllers may deny certain rights based on specific circumstances or conditions. For instance, if there is a legal obligation on the data controller to retain such data, a data subject's request for deletion would not be processed. However, there is an exception in cases where data is used for commercials, direct marketing, or advertisements. In such situations, no restrictions are imposed on exercising the right, and the request for data deletion must be granted unconditionally.
DSRs are important because they empower individuals to control their data and make informed decisions. Increased awareness of DSR places additional responsibility on data controllers, promoting transparency and accountability in data practices. Additionally, organisations supporting and transparently communicating about DSR build consumer trust, making them preferable for business dealings to those neglecting these crucial rights.
Communicating data subject rights and the internal policies addressing them
For data subjects outside the organisation, a privacy notice is the primary means of communication. A privacy notice is primarily found on organisations' websites, conveying their commitment to data protection and informing data subjects about how their data is handled. Internally, a privacy policy guides employees, interns, and management regarding the organisation's approach to data throughout its lifecycle. This policy ensures that individuals within the organisation are well-informed about the standards and practices related to data protection. Awareness initiatives, such as employee training and awareness sessions, are also crucial aspects of communication. These sessions keep employees updated on data protection principles and reinforce a culture of awareness within the organisation.
Furthermore, role-based training for staff, particularly those in customer-facing roles like marketing and customer service, is important. It is also important to ensure that the employees have a deep knowledge of data protection rules and the policies related to data subject requests (DSRs). This training would help them share information effectively about customer requests.
Common challenges organisations face when operationalising data subject rights
Some organisations lack a comprehensive list of assets hosting personal data. For global entities controlling large volumes of data, handling DSR requests, such as erasure requests, involves checking various systems, requiring extensive coordination among system owners to identify the particular data. In this case, the lack of proper coordination or awareness about all systems increases the likelihood of missing data or incomplete request fulfilment. For example, an individual's data may be deleted in some systems while still existing in others. The struggle to create awareness internally is also a significant challenge organisations face. Additionally, one of the key challenges facing organisations while trying to operationalise data subject rights is a lack of resources to keep up with the constantly evolving data protection landscape or insufficient materials for efficient research. This becomes even more challenging when it is a global organisation.
Ensuring effective collaboration among staff in customer-facing roles and following laid down procedures on managing data subject rights
Tooling has been identified as one of the most effective ways of ensuring cross-departmental collaboration. Different organisations adopt different tools to ensure effective communication across departments. In addition to tooling, everybody’s responsibility (in an organisation) is to ensure the data collected is protected and processed according to the law and company policies. However, this can be achieved through periodic training for various departments, particularly those that interface with customer data. DPOs also play a crucial role in ensuring data protection awareness. DPOs must be upright and able to address data protection concerns and liaise with other departments to resolve the complaint.
The systems or technologies organisations implement to ensure effective operationalisation of data subject rights
The organisation's size should be considered first to implement an effective data subject rights management system. For small organisations whose privacy program is not yet mature, handling data subject rights should require simpler steps, such as having a tracker with one or two people responsible for its periodic update, whether within the customer service department or the privacy department (if any). The process involves meticulous tracking and management when handling incoming data subject requests. Each request is logged in the tracker upon receipt. Key details, such as the date of receipt and the request's source, are recorded in the tracker. For multinational organisations, it is important to note the country of origin, as data protection obligations can vary by jurisdiction.
A typical response timeframe for such requests may be around 30 days. Identifying the specific right the data subject is exercising is crucial, as this influences the response approach. Rights may include access, rectification, erasure, or others under data protection regulations. The organisation gains a comprehensive overview of all incoming requests by categorising and logging these details. This includes insights into the nature of each request, the responsible party for handling it, and the response status.
An essential part of this process is developing an accountability document. This serves as a transparent record for internal reviews or external audits. The document showcases the organisation’s practices in handling data subject requests, demonstrating compliance and diligence. It details the requests received, the actions taken in response, and the timelines involved. This systematic approach ensures compliance with data protection laws and reinforces the organisation's commitment to responsible data management. It provides a clear framework for responding to data subject requests efficiently and effectively while preparing for regulatory scrutiny or audits.
Staying compliant with regulatory changes
Regarding handling data subject rights across different jurisdictions, staying current with the relevant legal provisions cannot be overemphasised. Whether operating in multiple countries or just one, it’s vital to have a thorough understanding of the applicable data protection laws.
An effective process could be to have the legal department or the privacy team diligently monitor these laws, particularly the provisions related to data subject rights. Their role is to ensure that the organisation's systems and processes are designed and updated to comply with these legal requirements effectively.
On legal compliance, concentrating on the finer details rather than becoming overwhelmed by the laws' broad scope is advisable. Understanding the specific aspects of the law that directly apply to the organisation's operations is important. This targeted approach allows for a more precise and effective compliance strategy, ensuring that the organisation addresses the right areas of the law that impact their handling of data subject rights.
The strategies to adopt to ensure that staff are aware of the policies and procedures on data subject rights
To enhance staff awareness of policies within the organisation, regularly organise learning sessions to increase awareness about data protection and privacy. These sessions allow DPOs to stay updated on the different types of data that teams use, as things change quickly and people do not always update the DPO or the privacy team in real-time. During the regular meetings, the DPO educates the teams about important data protection practices and initiatives. Maintaining a shared drive where everyone can access policies and materials on various data protection topics, such as handling a data subject request and how employees can submit their own requests, provides the needed guidance for employees. Generally, organisations should adopt a process that saves time when handling data subject rights requests (DSRRs) and maintains accuracy.
Conclusion
Data subject rights are gaining popularity and importance across the globe. In the coming years, organisations are expected to engage in more user awareness, emphasising that individuals unaware of their rights will become more informed and adept at exercising them. Adopting more sophisticated tools for effectively managing data subject rights will increase the efficiency of staff in handling requests from data subjects as well.
This article is based on the Hive Pulse Point Series event moderated by Dorcas Tsebee, with Toulu Akerele, Temitayo Ogunmokun, and Egoyibo Okoro as panellists. We thank the guests for their time and input. You can catch up with the session recording here.