PDRHS - Personal Data Request Handling System for GDPR Compliance - Part 2

Continued from part 1, now we go more deeper about handling the requests from data subjects. This is explained using the simple flow chart provided below.

GDPR : steps to process a request
Click to enlarge
Based on the above flow chart we can now easily list various processes that needs to be carried out by PDRHS. Note that the processes mentioned here are specific to PDRHS with underlying assumption that all other systems are already GDPR compliant.
  • Facilitate reception of various types of requests from data subjects.
  • Store the request.
  • Classify the request as fake or genuine.
  • Verify the identity of the data subject.
  • Collect additional personal details if necessary to verify identity. 
  • Categorize based on type of request.
  • Check the frequency between the requests.
  • Estimate the charge/fee to be applied for too frequent requests.
  • Set the level based on which too frequent requests may be rejected. 
  • Find and consolidate data about data subject.
  • Collect information about automated decision making process specific to the data subject.
  • Check if other regulations prevent deletion of data.
  • Trigger data deletion jobs. 
  • Provide requested information to the data subject.
  • Update the request with response provided. 
  • Delete any additional personal details collection during the request handling process.
As mentioned in the previous post PDRHS could be fully manual or fully automated system. In my view companies will decide how much to automate based on the number of requests they receive and the complexity in terms of number of data processing systems involved. The number of requests will be more or less proportional to the number of active data subjects the company handles as shown in the figure below. Companies that receive less than 10 requests per week should be able to handle it manually to a large extent however if company receives more than 100s of requests per day it's not going to be feasible to respond appropriately within the 30 days time limit to all of them.

GDPR : Manual to Automated
Click to enlarge
Architecture of PDRHS could be as given below, companies will choose which component should be automated and which will remain manual based on specific needs and technical capabilities within the company.

GDPR Personal Data Request Handling System
Click to enlarge : Personal Data Request Handling System

I hope both these articles (part 1 and this part 2) provide you enough information to consider and to go about building your version of PDRHS.  I welcome your comments, feedback and suggestions about PDRHS.

Disclaimer : I am not a legal expert nor a certified GDPR consultant (not sure if there is one certification yet). I am a data enthusiast (and now GDPR enthusiast) and I like to envisage, conceptualize and design solutions for real problems. All posts related to GDPR are only to present my understanding and to start a good discussion with the audience. As every business is different please consult legal experts to understand obligations specific to your company. For official documentation check the official website - https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en.


Popular posts from this blog

ETL developer vs Data engineer

3 years of IBI