Subject Access Requests are often seen as a burden on organizations, taking up large amounts of time and resources. Organizations hold increasing amounts of information on individuals, and research shows that they often have difficulties responding to a data subject’s request for access to the personal data held on them in a timely and efficient matter. This of concern to regulators, as many organizations fail to meet statutory requirements. However, this is symptomatic of larger breakdowns in information flows, data quality, and data protection compliance. Inadequate responses to access requests result in loss of customer trust and reputational damage.
But Subject Access Requests need not be a burden. Subject Access Requests are the canary in the coalmine, warning an organization of larger information problems or problems in processes that have in unwanted customer outcomes. The receipt of a Subject Access Request generally signals that individuals interacting with an organization have already had an unfavourable outcome or bad customer experience.
In this research report, Castlebridge Associates set out the findings of a recent survey they conducted on the Data Subject perspective on Subject Access requests, alongside research on EU trends and issues in Subject Access Requests, and a case study of a "mystery shop" activity we conducted in an industry sector in Ireland.
We set out the strategic benefits to organisations that change their thinking from Subject Access requests being a burden to them being a warning mechanism that can alert the organisation to issues in their data and issues in their relationships with customers. We also set out two simple models to help leaders in businesses of all sizes understand and articulate the role of Subject Access requests and the practical approaches to ensure you can deal with them effectively. We also describe how adopting a pragmatic and practical approach to aligning Businesss, Technology, and Information in your organisation can help you better achieve the objectives of Subject Access Request compliance while delivering other "value add" benefits to the organisation.