How to reduce the volume of requests (SARs)
Increase transparency, and people will have less need to contact you
When people ask your organisation “What personal information do you hold about me?”, you have 30–45 days to reply depending on country legislation. Subject Access Requests (SARs) can require significant time and effort, because you have to collect information from disparate software systems which were never designed for such purposes.
So, how can we reduce the volume of SARs? The answer is to generate a sufficient level of transparency and trust so that people do not feel the need to contact you in the first place. After all, a SAR is a user’s way of telling you that they don’t fully understand your privacy policy; or even worse, that they don’t trust you.
There are two ways you can achieve this transparency.
It’s all about clarity
Firstly, your privacy policy must be short and simple, with the objective being more to inform than protect. The Article 29 Working Party guidelines are very clear on this, saying that “The concept of transparency in the GDPR is user-centric rather than legalistic”. Your privacy policy should therefore not be written by a lawyer, but by a communications specialist.
Once you have a clear privacy policy, the next thing you should do is to provide a self-service feature on your website that allows visitors to see what personal information is collected and how it is used. They could then see at a glance that, for customers, for example:
· the company collects their name, address and email
· they are the source of this information
· the information is used for the purpose of contractually delivering the product
· the company uses a list of named third-party service providers
· the retention period after product delivery is six months.
This self-service feature is not some static text that needs to be maintained, but a widget embedded on your website which retrieves the actual information from your data mapping and inventory. Such widgets are a feature of some GDPR tools — see my recent article, Don’t even try managing GDPR in Excel.
Don’t hide your privacy policy
Once you’ve got an easily understandable privacy policy and a transparency widget, the last thing you’d want to do is bury them at the bottom of your website — often intentionally — where people might not find them. On the contrary, make them visible and prominent at the top of your home page, because the objective is for visitors to click on them (yes, you read correctly!). Such clarity and transparency will go a long way towards generating trust, which should forestall most SARs.
Legal departments might take some time coming around to this way of thinking, but they might as well get used to it: California’s CCPA will require websites to have a highly visible Don’t sell my data home-page button.
Finally, in a 2017 survey by the DMA, in response to the question “What makes consumers happy to share data with a company”, the highest score, at 51%, was “because I trust the organisation”, followed by “lower prices” at 32%.
So, shift your focus from the processes needed to handle SARs, to trying to ensure that they don’t occur in the first place.
Michael Gentle is the founder of The Balance of Privacy, based in Geneva. For similar articles by Michael, click here.
Further Reading
Keep GDPR privacy policies short and simple
Article 29 Working Party, Guidelines on transparency under Regulation 2016/679 (revised April 2018)
