GDPR Data Subject Requests Communication Register Template

Introduction

Since the introduction of the GDPR, many end-users have reached out to organizations which collect, store, manipulate and process their personal data for any number of reasons. These end-users have various reasons for their requests, and for the organizations to be able to keep track of them and their replies, a communication register is utilized by many organizations. These registers serve as a simple query-enabling database, which can help keep track of the tickets each request generates.

The register is a great tool for keeping track of communications with the end-users and can also assist in external or internal audits. Filling in this template will ensure that each request submitted by an end user will be replied to within a timely manner, allowing follow-up on open requests and easy access to the individual tickets in case a deeper inquiry is required. It can also serve as a database and tracking tool for the organizations' DPOs and their delegates, ensuring that the GDPR statutes are being adhered to in a timely manner.

Scope and Purpose

The register demonstrates to the proper authorities that the organization is taking the appropriate steps to preserve the end-user's rights under the GDPR. Protecting personal data is the main goal of the statutes, and maintaining a register goes a long way in proving that the organization is making every effort to do that.

The register also helps track the timeframe in which the requests were responded to, ensuring that they didn't exceed the standard allotted time to do so.
The register should be kept as simple as possible and should mostly contain links to the tickets which were generated in response to the requests and additional basic information. These requests can be sorted and filtered according to different attributes -

1. Type of request: Rectify the personal data, erase it, stop the processing of it, etc.

2. Action taken as a result: Full compliance, partial compliance, non-compliance, etc.

3. Other basic data: date of request, name of the requestor, etc.

Required Fields in the Register

The communication register should include the following fields -

1. The ticket number that was generated as a response to the initial request and a link to it.

2. The date and hour of the request, and mention in which timezone.

3. The name of the person who’s handling the request (usually a delegate of the DPO)

4. The requesters' full name and ID number.

5. The action which was taken, if any.

6. Comments (free text)

The Obligations of the Data Controller

1. Reply to the request in a timely manner.

2. Maintain the register for at least one year for all audits.

3. Present the register to the supervisory authority upon request.

4. In case of denying a request, provide the data subject with the credentials of the supervisory authority in case they wish to appeal the decision. The register should reflect that this option was communicated to the data subject.

Term Definitions

What is a Data Controller?

An organization or person who determines the use of the collected personal data from the data subjects. The data controller owns the collected personal data, decides in which ways it will be processed and bears the sole responsibility for safekeeping it.

What is personal data?

Any type of unique data which relates to an individual data subject. This can include such information as: Name, phone number, Email address, ID number, health records, political opinions, IP address, etc.

What is the processing of personal data?

Any act that is performed on the collected personal data of all the organizations' data subjects. This may include such actions as storing the data, analyzing it in any way to extract insights or deleting it once it's no longer required.

What is a data subject (also known as an end-user)?

Any person who created a unique username on the organization's website, thus giving them the possibility of using that username to perform certain tasks and use features offered on the website.

What is a data breach?

Any intentional or unintentional security incident which involves the sharing of personal data with any unauthorized element. Sharing of personal data may include the viewing, copying, stealing, or altering of the personal data.

Who is the DPO?

The Data Protection Officer is the main stakeholder of the organization for all aspects of GDPR compliance. They are responsible for making sure that the GDPR guidelines are adhered to.

Key Takeaways / Conclusions

1. Ensure that each request is responded to in a reasonable timeframe.

2. Form a request database which allows for sorting, filtering, and searching the requests.

3. Guarantee that each request has a separate ticket with additional details.

4. The register is a great tool for proving that the requests were replied to.