IVI Framework Viewer

Data Subject Rights Management

B2

Manage requests by data subjects to access the personal information held by the organization about them. Check that the communications channels and agents are authorized by the data subject.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Data Subject Rights Management at each level of maturity.

1Initial
  • Practice
    Provide tools and techniques to manage and monitor data subject rights and to process subject rights requests and/or queries.
    Outcome
    Processes to manage subject access requests (if any) are ad hoc.
  • Practice
    Validate that a person communicating is the data subject or a duly authorised person to act on behalf of the data subject.
    Outcome
    Data subject rights processing procedures are being drafted and basic processes are in use.
    Metric
    % Data subject rights requests processed using appropriate processes and procedures.
2Basic
  • Practice
    Provide tools and techniques to manage and monitor data subject rights and to process subject rights requests and/or queries.
    Outcomes
    • Data subject rights processes are followed in IT and some business units.
    • Some tools support is available.
    Metric
    % Data subject rights requests processed using appropriate processes and procedures.
  • Practice
    Validate that a person communicating is the data subject or a duly authorised person to act on behalf of the data subject.
    Outcome
    Data subject rights are supported by sophisticated tools and techniques that reduce costs and work load.
    Metrics
    • % Data subject rights requests processed using appropriate processes and procedures.
    • € Cost per data subject request.
3Intermediate
  • Practice
    Provide tools and techniques to manage and monitor data subject rights and to process subject rights requests and/or queries.
    Outcomes
    • Data subject requests are effectively and efficiently managed.
    • Processes, tools and techniques are regularly improved and optimized.
    Metrics
    • # of requests that go through an automated online process.
    • % of online processes that are evaluated by customers regularly.
    • % of processes that are updated based on feedback from customers.
  • Practice
    Validate that a person communicating is the data subject or a duly authorised person to act on behalf of the data subject.
    Outcome
    Authentication of a communicator (if any) is ad hoc.
4Advanced
  • Practice
    Provide tools and techniques to manage and monitor data subject rights and to process subject rights requests and/or queries.
    Outcome
    Authentication requirements are understood and implemented in some business units.
    Metric
    # authentication issues
  • Practice
    Validate that a person communicating is the data subject or a duly authorised person to act on behalf of the data subject.
    Outcome
    Authentication processes are supported by scripts and mechanisms.
    Metrics
    • # authentication issues.
    • # time to authenticate person communicating's bona fides.
5Optimized
  • Practice
    Provide tools and techniques to manage and monitor data subject rights and to process subject rights requests and/or queries.
    Outcome
    Trust mechanisms exist with many legal teams and consumer support organizations.
    Metrics
    • # authentication issues.
    • # time to authenticate person communicating's bona fides.
  • Practice
    Validate that a person communicating is the data subject or a duly authorised person to act on behalf of the data subject.
    Outcomes
    • Data rights actor authentication is effective and efficient in most cases.
    • Exceptions are handled by competent staff.
    Metric
    # scripts for authenticating data subjects