Increase transparency, and people will have less need to contact you
When people ask your organisation “What personal information do you hold about me?”, you have 30–45 days to reply depending on country legislation. Subject Access Requests (SARs) can require significant time and effort, because you have to collect information from disparate software systems which were never designed for such purposes.
There are two ways you can achieve this transparency.
It’s all about clarity
· the company collects their name, address and email
· they are the source of this information
· the information is used for the purpose of contractually delivering the product
· the company uses a list of named third-party service providers
· the retention period after product delivery is six months.
This self-service feature is not some static text that needs to be maintained, but a widget embedded on your website which retrieves the actual information from your data mapping and inventory. Such widgets are a feature of some GDPR tools — see my recent article, Don’t even try managing GDPR in Excel.
Legal departments might take some time coming around to this way of thinking, but they might as well get used to it: California’s CCPA will require websites to have a highly visible Don’t sell my data home-page button.
Finally, in a 2017 survey by the DMA, in response to the question “What makes consumers happy to share data with a company”, the highest score, at 51%, was “because I trust the organisation”, followed by “lower prices” at 32%.
So, shift your focus from the processes needed to handle SARs, to trying to ensure that they don’t occur in the first place.