Privacy rules in the European Union’s (EU) General Data Protection Regulation (GDPR) will have many organizations worldwide on the receiving end of data subject rights (DSR) requests when the regulation goes into effect next year. Responding to such requests -- which might deal, for instance, with data access, deletion and portability -- could require significant effort. To avoid being caught flat-footed, organizations need to proactively build an effective process for managing and addressing these requests. On the surface that might seem vexing, but here are five critical factors for success.
While GDPR only applies to EU data subjects and their personal data, B2B and B2C organizations may want to consider a broader implementation applicable to all data subjects in anticipation of other country-specific legislation that may follow suit. There is no perfect mix of people, processes, and technology to support DSR requests. The process-related considerations may require the greatest time and attention. Consider what volume of requests may be received; leverage or extend existing functionality, where feasible; and keep the technology and process simple, with a focus on tracking all activities and contacts that occur to receive, process, possibly fulfill, and then close DSR requests in a reportable and auditable manner.