PDRHS - Personal Data Request Handling System for GDPR Compliance - Part 2

Continued from part 1, now we go more deeper about handling the requests from data subjects. This is explained using the simple flow chart provided below.

GDPR : steps to process a request
Click to enlarge
Based on the above flow chart we can now easily list various processes that needs to be carried out by PDRHS. Note that the processes mentioned here are specific to PDRHS with underlying assumption that all other systems are already GDPR compliant.
  • Facilitate reception of various types of requests from data subjects.
  • Store the request.
  • Classify the request as fake or genuine.
  • Verify the identity of the data subject.
  • Collect additional personal details if necessary to verify identity. 
  • Categorize based on type of request.
  • Check the frequency between the requests.
  • Estimate the charge/fee to be applied for too frequent requests.
  • Set the level based on which too frequent requests may be rejected. 
  • Find and consolidate data about data subject.
  • Collect information about automated decision making process specific to the data subject.
  • Check if other regulations prevent deletion of data.
  • Trigger data deletion jobs. 
  • Provide requested information to the data subject.
  • Update the request with response provided. 
  • Delete any additional personal details collection during the request handling process.
As mentioned in the previous post PDRHS could be fully manual or fully automated system. In my view companies will decide how much to automate based on the number of requests they receive and the complexity in terms of number of data processing systems involved. The number of requests will be more or less proportional to the number of active data subjects the company handles as shown in the figure below. Companies that receive less than 10 requests per week should be able to handle it manually to a large extent however if company receives more than 100s of requests per day it's not going to be feasible to respond appropriately within the 30 days time limit to all of them.


GDPR : Manual to Automated
Click to enlarge
Architecture of PDRHS could be as given below, companies will choose which component should be automated and which will remain manual based on specific needs and technical capabilities within the company.

GDPR Personal Data Request Handling System
Click to enlarge : Personal Data Request Handling System

I hope both these articles (part 1 and this part 2) provide you enough information to consider and to go about building your version of PDRHS.  I welcome your comments, feedback and suggestions about PDRHS.





Disclaimer : I am not a legal expert nor a certified GDPR consultant (not sure if there is one certification yet). I am a data enthusiast (and now GDPR enthusiast) and I like to envisage, conceptualize and design solutions for real problems. All posts related to GDPR are only to present my understanding and to start a good discussion with the audience. As every business is different please consult legal experts to understand obligations specific to your company. For official documentation check the official website - https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en.

Comments

Post a Comment

Thanks for your comment. It will be posted after checks.

Popular posts from this blog

ETL developer vs Data engineer

Image
Rephrased question : ETL developer vs Data engineer Answer : Unfortunately there are no strict industry standards on these job titles. That is just one part of it. Before ETL tools such as DataStage, Informatica, Ab Initio, etc., became popular, developers were hand coding every ETL flow. These ETL tools shortened the ETL flow development time to a great extent and allowed ETL developers to focus on business rule/logic/requirement (what to implement) than how to code it or optimize the code. There are many other benefits of using a tool but I won’t go into that in this answer. So an ETL developer with experience in these tools without any programming (coding) experience was/is able to design and develop end to end data flows. Whenever new types of source/target data format comes up, these tools catch up but it takes time, i.e., the ETL tool provider (e.g. Microsoft, IBM, etc.,) adds new components/connectors within the ETL tool to be able to work with new data format. For example, let’
Read more

3 years of IBI

This week (on 19th Feb 2020) I completed 3 years of IBI. To celebrate it I have created a Dashboard in Google Data Studio. So from now on instead of using the charts in the Google Sheets I will use the Dashboard. Google Data Studio is more user friendly and mobile friendly too, also it comes with easy to use filters and drill down/up capabilities. PDF version of the first 2 pages of the shareable dashboard is attached below. I am happy to share the first 2 pages of the IBI Dashboard, reach out to me if you would like to get the Google Data Studio IBI dashboard. Once you get the dashboard (without my data of course) you can make a copy of it and point it to your IBI data (assuming you have started), add more charts, pages, etc., and use it for your benefit. Like with every year, this IBI year too I have learnt a lot about myself, made new mistakes, changed several things about me. The benefits of IBI is much more than we can think of. Use it to know it. And what are some of the
Read more