By Sofia Carroll, Information Governance Manager
The customer service side of UK GDPR data requests
Handling personal data requests from clients and customers is a daily task for the data protection officer (DPO). In practice, many of them are a part of a broader, sometimes more contentious, picture of the relationship between the organisation and the individual. To manage the relationship as well as possible, we look at some steps to take below.
Tell your DPO about the request
Customer satisfaction may vary, and it is important to address any concerns to retain customer loyalty and trust. It is just as important to properly address any data protection points your clients may raise for the same reason.
This is why it is essential you let the DPO know about any request – “who else have you shared my data with”, “I’d like to see the internal emails you wrote about me” – as soon as possible. A backlog of requests causes inefficiency and may attract regulatory attention, which happened to the Labour Party recently.
Allow the DPO to explain the law
Once the DPO has taken on the request, keep in touch with them for general updates you may need to know about to manage the relationship, while allowing the DPO team to focus on the technicalities. The team might contact you to get more details about context, which will help the DPO find the information that is of most importance to the customer.
Even though the responsibility to produce a response is on the data protection lead, they depend on colleagues to hear about the request if it hasn’t been sent directly to them, and to receive the relevant information.
Make sure key stakeholders in your organisation are aware of the UK GDPR with Naomi Korn Associates’ Data Protection Essential course running on 18 & 19 Sept 2024, 9:30am-1pm. We will cover the basic responsibilities of controllers and DPOs, as well as how to foster a privacy culture and implement essential processes like privacy by design and consent management.
We have also created a dedicated course for the cultural heritage sector: book a place on our Data Protection Law for Archives, Museums and Library Collections to learn about the specific application of the law to archiving, including the relevance of personal data, compatible processing and and exemptions to personal data rights. The course will benefit staff of all seniority and and particularly those with a compliance-focused role. It will run on Tuesday 24th September 2024, 9:30 am–1pm.
Understand data protection rights
To ensure expediency and better responses to customers, another team may have to help the DPO with managing requests. This can be achieved with our course on Data Protection Rights (focus on subject access requests) running on Thursday 7 November, 09:30am-1pm. This is a course aimed at professionals who need practical advice on handling requests. We will look at best practices for responding, timescales, when you can withhold data, how to conduct fair internal reviews and make reports for senior management and the ICO.