Data Subject Rights Management
Manage requests by data subjects to access their personal data held by the organization (including the purposes for which it is held and to whom it may be disclosed), and to rectify or erase inaccurate data. Check that the communication channels and agents are authorized by the data subject.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Data Subject Rights Management at each level of maturity.
- 2Basic
- Practices
- Ensure that basic requirements and policies for authenticating a data subject are defined by data protection champions or advocates.
- Build awareness of those requirements and policies in some business units other than those of the champions.
- Outcome
- Authentication requirements are understood and implemented in some business units.
- Metric
- # of authentication issues.
- Practice
- Draft basic processes to manage data subject rights and begin to track data access requests.
- Outcome
- The rights of data subjects are beginning to be considered.
- Metrics
- # of data access requests.
- % of data subject rights requests processed using appropriate processes and procedures.
- 3Intermediate
- Practices
- Define detailed requirements and policies for authenticating a data subject.
- Support authentication processes with standardized scripts and mechanisms.
- Outcome
- Authentication requirements are consistently addressed in most instances.
- Metrics
- # of authentication issues.
- Time taken to authenticate the communicating person's bona fides.
- # of scripts for authenticating data subjects.
- Practices
- Follow standardized processes to manage data subject rights in most areas of the business.
- Develop processes to track nuisance requests.
- Outcomes
- Data subject rights are proficiently managed in many instances.
- Many nuisance requests are controlled and managed effectively.
- Metrics
- # of data access requests.
- # of nuisance requests.
- % of data subject rights requests processed using appropriate processes and procedures.
- 4Advanced
- Practice
- Support authentication processes with sophisticated systems, tools, and techniques.
- Outcomes
- Authentication requirements are consistently addressed in all instances.
- Systems, tools, and techniques reduce costs, risks, and workload.
- Metrics
- # of authentication issues.
- Time taken to authenticate the communicating person's bona fides.
- # of scripts for authenticating data subjects.
- # of tools for authenticating data subjects.
- Practices
- Follow comprehensive processes to manage data subject rights across the organization and to manage nuisance requests and frequent repeat requests.
- Support these processes with relevant systems, tools, and techniques.
- Outcomes
- Data subject rights are proficiently managed in all instances.
- All nuisance requests are controlled and managed effectively.
- Systems, tools, and techniques reduce costs, risks, and workload.
- Metrics
- # of data access requests.
- # of nuisance requests.
- Cost per data access request.
- % of data subject rights requests processed using appropriate processes and procedures.
- 5Optimized
- Practice
- Continually review authentication processes and procedures for improvement opportunities.
- Outcomes
- Authentication is effective and efficient in all cases.
- Exceptions are handled by competent employees.
- Metrics
- Frequency of review and update to authentication processes.
- # of authentication issues.
- Time taken to authenticate the communicating person's bona fides.
- Practice
- Integrate systems, tools, and techniques across relevant business ecosystem partners to help manage data subject rights, and regularly review them for improvement opportunities.
- Outcome
- Data subject rights management is effective across the entire business ecosystem and reflects the latest industry best practice insights.
- Metrics
- Frequency of review and update of processes to manage data subject rights.
- # of data access requests that go through an automated online process.