Data Subject Rights Management
Manage requests by data subjects to access the personal information held by the organization about them. Check that the communications channels and agents are authorized by the data subject.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Data Subject Rights Management at each level of maturity.
- 1Initial
- Practice
- Provide tools and techniques to manage and monitor data subject rights and to process subject rights requests and/or queries.
- Outcome
- Processes to manage subject access requests (if any) are ad hoc.
- Practice
- Validate that a person communicating is the data subject or a duly authorised person to act on behalf of the data subject.
- Outcome
- Data subject rights processing procedures are being drafted and basic processes are in use.
- Metric
- % Data subject rights requests processed using appropriate processes and procedures.
- 2Basic
- Practice
- Provide tools and techniques to manage and monitor data subject rights and to process subject rights requests and/or queries.
- Outcomes
- Data subject rights processes are followed in IT and some business units.
- Some tools support is available.
- Metric
- % Data subject rights requests processed using appropriate processes and procedures.
- Practice
- Validate that a person communicating is the data subject or a duly authorised person to act on behalf of the data subject.
- Outcome
- Data subject rights are supported by sophisticated tools and techniques that reduce costs and work load.
- Metrics
- % Data subject rights requests processed using appropriate processes and procedures.
- € Cost per data subject request.
- 3Intermediate
- Practice
- Provide tools and techniques to manage and monitor data subject rights and to process subject rights requests and/or queries.
- Outcomes
- Data subject requests are effectively and efficiently managed.
- Processes, tools and techniques are regularly improved and optimized.
- Metrics
- # of requests that go through an automated online process.
- % of online processes that are evaluated by customers regularly.
- % of processes that are updated based on feedback from customers.
- Practice
- Validate that a person communicating is the data subject or a duly authorised person to act on behalf of the data subject.
- Outcome
- Authentication of a communicator (if any) is ad hoc.
- 4Advanced
- Practice
- Provide tools and techniques to manage and monitor data subject rights and to process subject rights requests and/or queries.
- Outcome
- Authentication requirements are understood and implemented in some business units.
- Metric
- # authentication issues
- Practice
- Validate that a person communicating is the data subject or a duly authorised person to act on behalf of the data subject.
- Outcome
- Authentication processes are supported by scripts and mechanisms.
- Metrics
- # authentication issues.
- # time to authenticate person communicating's bona fides.
- 5Optimized
- Practice
- Provide tools and techniques to manage and monitor data subject rights and to process subject rights requests and/or queries.
- Outcome
- Trust mechanisms exist with many legal teams and consumer support organizations.
- Metrics
- # authentication issues.
- # time to authenticate person communicating's bona fides.
- Practice
- Validate that a person communicating is the data subject or a duly authorised person to act on behalf of the data subject.
- Outcomes
- Data rights actor authentication is effective and efficient in most cases.
- Exceptions are handled by competent staff.
- Metric
- # scripts for authenticating data subjects