In my latest post, I outlined the process involved in the actual response to DSAR requests. In my last article of this series, I will discuss the best practices and workflows that your organization should follow when responding to DSAR requests. Generally, “controllers” are responsible for responding to DSARs, and “processors” assist them in handling the requests. Here are my recommendations for best practices in responding to DSARs to ensure General Data Protection Regulation (GDPR) compliance: Review and Update Privacy Notices and Policies The GDPR requires organizations to inform data subjects of their rights. Companies need to make sure that their existing policies comply with the new entitlements given to data subjects by the law, including the right to: Obtain certain information from the controller beforehand, and without asking for it Be made aware of whether a controller is processing their data and how it was collected Request that inaccurate personal data about them be rectified, with communication regarding the rectification made to each recipient of the data Demand that their personal data be erased and no longer processed (right to be forgotten) Ask the controller to restrict the processing of their data Receive their data in a structure, commonly-used format for transmission elsewhere (data portability) Object to the handling of their data at any time (in certain circumstances) Not be subject to decisions based solely on automated processing Withdraw consent at any time during processing In certain circumstances, EU member states may pass legislation to limit DSAR requests under local law. One example of this is the UK’s Data Protection Act of 2018. Create and Implement a DSAR Process Your company needs to have a process in place to address: How you will enable DSARs, e.g., offering a standardized online [...]