PDRHS - Personal Data Request Handling System for GDPR Compliance - Part 1

In one of my previous posts (Measures for a Company for GDPR compliance) on GDPR topic I listed the measures that a company has to take to ensure GDPR compliance. One of the measures is to implement PDRHS (Personal Data Request Handling System).  In this post I will go into more details about PDRHS. Again, I will limit the scope to companies (exclude public bodies and others). 

PDRHS is an abstract of a system that facilitates data subjects to exercise their rights related to personal data. PDRHS is expected to manage the life cycle of data subjects' requests related to personal data.

PDRHS in terms of complexity could be anywhere between very simple to very complex, and in terms of automation could be anywhere between fully manual to fully automated solution depending upon the type and size of the company and number of data subject requests the company receives.

Companies like Facebook and LinkedIn already provide means to exercise some of our personal data rights in an online and interactive way.  See screenshots provided below. However, these facilities are not enough to satisfy all of the requirements. Data subjects should be provided with a way using which they can raise requests to exercise all of their rights as guaranteed by GDPR, for example, the right to know if their data is shared with third parties, if yes, who are the third parties, the right to reject individual fully automated decision-making or to know more about the logic involved in it and so on.  

Your Facebook Information
Click to enlarge

Linkedin Personal Data
Click to enlarge

So, to begin with,  PDRHS should handle the entire life cycle of a request made by a data subject. The life cycle (various statuses) of a request will be as shown in the figure provided below,

Life cycle of a data subject request
Click to enlarge : Life cycle of a data subject request

data subject initiates a new request, the company progress the request, conditionally puts it on hold for lack of information or confirmation from the data subject, progresses it again once it receives enough information or confirmation from data subject and then either resolves the request or rejects the request and closes the request.

What are all the functions that should be carried out by PDRHS - please see part 2.

Disclaimer: I am not a legal expert nor a certified GDPR consultant (not sure if there is one certification yet). I am a data enthusiast (and now GDPR enthusiast) and I like to envisage, conceptualize and design solutions for real problems. All posts related to GDPR are only to present my understanding and to start a good discussion with the audience. As every business is different please consult legal experts to understand obligations specific to your company. For official documentation check the official website - https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en.


Popular posts from this blog

ETL developer vs Data engineer

3 years of IBI