How to reduce the volume of requests (SARs)

Michael Gentle
Nov 25, 2018 · 3 min read

Increase transparency, and people will have less need to contact you

Image for post
Image for post

When people ask your organisation “What personal information do you hold about me?”, you have 30–45 days to reply depending on country legislation. Subject Access Requests (SARs) can require significant time and effort, because you have to collect information from disparate software systems which were never designed for such purposes.

So, how can we reduce the volume of SARs? The answer is to generate a sufficient level of transparency and trust so that people do not feel the need to contact you in the first place. After all, a SAR is a user’s way of telling you that they don’t fully understand your privacy policy; or even worse, that they don’t trust you.

There are two ways you can achieve this transparency.

It’s all about clarity

Firstly, your privacy policy must be short and simple, with the objective being more to inform than protect. The Article 29 Working Party guidelines are very clear on this, saying that “The concept of transparency in the GDPR is user-centric rather than legalistic”. Your privacy policy should therefore not be written by a lawyer, but by a communications specialist.

Once you have a clear privacy policy, the next thing you should do is to provide a self-service feature on your website that allows visitors to see what personal information is collected and how it is used. They could then see at a glance that, for customers, for example:

· the company collects their name, address and email

· they are the source of this information

· the information is used for the purpose of contractually delivering the product

· the company uses a list of named third-party service providers

· the retention period after product delivery is six months.

This self-service feature is not some static text that needs to be maintained, but a widget embedded on your website which retrieves the actual information from your data mapping and inventory. Such widgets are a feature of some GDPR tools — see my recent article, Don’t even try managing GDPR in Excel.

Don’t hide your privacy policy

Once you’ve got an easily understandable privacy policy and a transparency widget, the last thing you’d want to do is bury them at the bottom of your website — often intentionally — where people might not find them. On the contrary, make them visible and prominent at the top of your home page, because the objective is for visitors to click on them (yes, you read correctly!). Such clarity and transparency will go a long way towards generating trust, which should forestall most SARs.

Legal departments might take some time coming around to this way of thinking, but they might as well get used to it: California’s CCPA will require websites to have a highly visible Don’t sell my data home-page button.

Finally, in a 2017 survey by the DMA, in response to the question “What makes consumers happy to share data with a company”, the highest score, at 51%, was “because I trust the organisation”, followed by “lower prices” at 32%.

So, shift your focus from the processes needed to handle SARs, to trying to ensure that they don’t occur in the first place.

Michael Gentle is the founder of The Balance of Privacy, based in Geneva. For similar articles by Michael, click here.

Further Reading

Keep GDPR privacy policies short and simple

Article 29 Working Party, Guidelines on transparency under Regulation 2016/679 (revised April 2018)

Data privacy is the new normal

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store