The European supervisory authorities prioritise a certain topic every year, which they focus on in their enforcement practice
In 2024 this will be „Subject Access Requests”.
Supervisory authorities will assess whether companies have functioning and properly documented procedures for dealing with such requests.
It is possible that you will receive a related inquiry from your supervisory authority next year. Then you should have the following information at hand:
- A description of what procedure you have established for handling subject access requests (“Who deals with what”?).
- The instructions for employees for handling data subject access requests (this should also be documented in foxondo in the Data Protection Organization module in question DO-250).
- A description of how you have informed all employees about this procedure.
- The description of how you effectively ensure compliance with the 1-month response deadline.
The latter will only be possible if all employees have been effectively and demonstrably trained and made aware of this.
Unfortunately, time and again subject access requests end up sitting in inboxes or on desks for weeks …
By the way, we have created a GDPR video training that can be used to raise awareness in companies (currently available in English; German is planned).
If this is of interest to you, please feel free to contact us. We will provide you with an offer for your company.
Summary:
In 2024, the supervisory authorities’ focus will be on checking whether companies have good processes for handling data subject access requests in place.
As always, feel free to get in touch if you have any questions.