It is all about accountability and accurate record-keeping. One of your reasons for refusing a request is the fact that it is repetitive, if you do not keep accurate logs, how can you prove this point? There is a saying in the Criminal Justice world that I learned as a young police officer giving evidence. If it is not written down, it did not happen. Police officers are trained to write everything down as it might be needed as evidence later on in the inquiry, sometimes years later.
So, keeping an accurate log of data rights requests is a vital process for several reasons. Some of them are:
- It helps to demonstrate compliance with the Data Protection Law that your company has to comply with, whether that be the Data Protection Act, one of the Channel Islands data protection laws, or GDPR.
- A log can show that you have received, processed, and responded to requests in a timely and lawful manner. This not only shows that you have been accountable to the law and the data subject request but also shows your internal processes work.
- A log will show a continuity of contact with the data subject and give a clear timeline of what you have done to respond to the request. If, at the end of the request, the data subject is not happy with the information received, or the exemptions you have used to redact and a complaint is made with the Supervisory Authority. Providing the SA with a complete log of events is your evidence of action. Without this log you have nothing – If it is not written down, it did not happen.
- It helps to ensure the accuracy, integrity, and security of personal data. A log can help you to identify and correct any errors or inconsistencies in the data, as well as to detect and prevent any unauthorised access or misuse of the data. This may sound like a strange thing to say, but the log will identify weaknesses in your process or systems. A log has to be used as a learning tool for your own compliance and ongoing assessment of improvement.
- It helps to improve your data management and customer service. A log can help you to track the progress and status of each request, to allocate resources efficiently, to communicate with the data subjects effectively, and to handle any complaints or disputes that may arise. I have pointed this out twice on purpose because it is an important point to make. Remember we are a compliance team, and data protection professionals, but we are also a customer service team, we deal with data subjects who are our customers, deal with them as we would like to be dealt with. Our logs reflect this and our actions.
I am not going to tell you about the fines and sanctions for non-compliance, we all know them by now. Keeping an accurate log is showing your own professionalism and accountability. It provides the team and business with a consistent approach to dealing with data subject rights requests.
YourDataSafe™ will provide this tool for your business. Because YDS provides access to every member of the business, a received data rights request can be logged immediately by the receiver. YDS will automatically notify the compliance team that a request has been received. It provides the steps to be taken and hints and tips on how to record information.
YDS has an ‘Auditors’ access for the Supervisory Authority to review your log should a complaint be received. This access has been used successfully several times and very positive feedback has been received – not in writing, so it didn’t happen. They cannot be seen to promote a product and we respect that.
YDS will give your business a single source of recorded log for all data rights requests and a consistent approach by your business for dealing with them. It will give your business the confidence in knowing there is no room for a rouge member of your team to deal with a request differently that could lead to a complaint and any reputational damage.