Data Privacy Hub

“We’ve talked all about how to collect DSRs – but how should we respond to them? 

[Before handling the request.]

First things first: Send an acknowledgment to the user. Your users want to feel like they’ve been heard. Even if you don’t fulfill their request immediately, they’d like to make sure someone on the other side actually receives it. It can increase your user satisfaction dramatically

The second thing you should do before actually handling the DSR is to verify the user. Remember: Protecting your users’ privacy is the #1 goal. You can’t do this if you don’t verify the user truly is who they say they are. How do we verify the user? Companies sometimes require ID verification, which isn't approved by the ICO and really upsets users since they don't want to share sensitive information at this stage. So, we recommend using email or SMS for this.

Once you confirm their identity and their request’s validity, you can start processing and completing the request. 

Too many privacy professionals complicate the DSR process. When in reality, it can be broken down into a simple four-step process:

[First step: Find personal data on the subject.]

Step 1: Find personal data on the subject. Before you can edit or remove the data, you need to find the information in question. This will depend on how your company keeps track of and organizes your users’ personal data. Often, it can be found across multiple files, databases, or different SAAS applications, such as your CRM, email marketing platform, product analytics tools, payment processors, etc. If you manage this manually, this process will take much longer and likely be more vulnerable to errors. This process is also called Data Mapping, and it powers any privacy program in any company.

[Second: Honor the request.]

Step 2: Once you find the data, honor their request. The customer is always right, as privacy is their right. Rectify the situation, whether editing, redacting, or removing the personal data. Do the same for your internal and external data sources. Remember: Time is of the essence. Be thorough, compliant, and accurate. In specific cases, privacy laws cannot be honored, for example, health-related data or specific financial information that have to be saved for auditing purposes. You should consult with your legal firm about these specific cases, and honor privacy requests in all the rest.

[Third: Reply to the user.]

Step 3: Reach out to the user and tell them that the request has been completed. A well-written, clear response is crucial to keeping a positive relationship with the user. 

We’ll attach some great templates you can use that are proven to increase user satisfaction with this video, specifically for the right to erasure: acknowledging the receipt of their request, confirming the completion of their request, and rejecting or canceling an illegitimate request. 

Overall, your subject line should have a clear and concise summary confirming you’ve completed their request. You should reiterate this confirmation in the first line of your message, further clarifying any implications of the request. Be positive, grateful, and gracious. Remember: DSRs are an extension of your customer service — and an important one, at that.

[Fourth: Redact the request for later use.]

Step 4: Redact the request to demonstrate compliance later if needed. As with any legal process, you need to keep a thorough record of the process to protect yourself in the case of any potential issues. Once fulfilled, save the documents and communication of the request, redacting any personal information.

So, let’s review: Before getting started, reach out to the user and verify their identity.

From there, you’ll find the personal data on the subject, honor the request, reply to the user, and redact the request for later use.

Don’t forget the templates attached to help with Step 3. In our next video, we’ll start with Step 1: Knowing where your user’s data is stored. Keep watching! You’re over halfway through!”