DRPV-07

Do you provide individuals with access to their personal information for review and update (i.e., data subject rights)?

Explanation

This question is asking whether your organization has mechanisms in place that allow individuals (data subjects) to access, review, and update their personal information that you collect and store. This is a fundamental data privacy right often referred to as 'data subject rights' or 'individual rights'. Why it's being asked: 1. Regulatory compliance: Many privacy regulations like GDPR (Europe), CCPA/CPRA (California), and other global privacy laws require organizations to provide individuals with access to their data. 2. Transparency: It demonstrates your commitment to data transparency and respecting individuals' rights over their personal information. 3. Risk assessment: Organizations without such processes may face regulatory penalties, reputational damage, and legal challenges. The question specifically looks for: - Formal processes for individuals to request access to their data - Methods for individuals to review what personal information you hold about them - Mechanisms for individuals to request updates, corrections, or deletions to their data - Documentation of these processes that can be shared with individuals To best answer this question: 1. Describe your specific processes for handling data subject requests 2. Mention any self-service portals or interfaces where users can access their data 3. Explain your verification procedures to ensure only authorized individuals access their own data 4. Note any timeframes for responding to such requests 5. Reference relevant policies that govern these processes 6. If applicable, mention how you handle special cases like legal exceptions

Guidance

Such processes would include descriptions of request processes individuals can follow to review thier information and written processes a data subject may use to ask for changes or corrections to data held about them.

Example Responses

Example Response 1

Yes, we provide individuals with comprehensive access to their personal information We have implemented a self-service portal where users can log in securely to view all personal data we maintain about them Additionally, we have a formal Data Subject Rights process that allows individuals to submit requests via email to privacy@ourcompany.com or through a web form on our privacy page All requests are logged in our privacy management platform and assigned to our privacy team for processing We verify the identity of requestors using multi-factor authentication before fulfilling requests Our process includes the ability to access, correct, delete, or export personal data, and we commit to responding to all requests within 30 days as required by applicable regulations These processes are documented in our Privacy Policy and Data Subject Rights Procedure, which are available on our website and upon request.

Example Response 2

Yes, we have established a robust process for data subject rights Individuals can request access to their personal information through multiple channels: (1) By submitting a request through their account settings, (2) By contacting our dedicated privacy team at dsr@company.com, or (3) By calling our toll-free privacy hotline at 1-800-PRIVACY Upon receiving a request, we verify the individual's identity using a combination of account credentials and additional verification questions Our system can generate comprehensive reports of all personal data we process about an individual, which they can then review for accuracy If corrections are needed, individuals can either make updates directly in their account settings or submit correction requests through the same channels We maintain detailed logs of all data subject requests and complete 95% of requests within 15 business days Our Data Subject Rights Policy is reviewed annually and was last updated in March 2023 to align with the latest regulatory requirements.

Example Response 3

No, we currently do not have a formal process that allows individuals to access or update their personal information directly While we collect limited personal data for service delivery, we haven't yet implemented a systematic approach for data subject rights requests Our current process is ad-hoc - if someone emails our general support address requesting their data, our support team manually researches and responds on a case-by-case basis without standardized procedures or timeframes We recognize this is a gap in our privacy program and are planning to implement a formal data subject rights process in the next quarter The planned solution will include a dedicated request form, verification procedures, and documented workflows for our team to handle such requests consistently and in compliance with applicable regulations In the meantime, we're training our support team on how to handle these requests appropriately when they occur.

Context

Tab
Privacy
Category
Data Privacy

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron