Back to our Resource Centre

GDPR – How to process subject access requests and data breaches

Type: #Blog#GDPR

One of the key changes driven by GDPR is that individual data subjects have more rights:

  • Article 15: Right of access by the data subject
  • Article 16: Right to rectification
  • Article 17: Right to erasure (‘right to be forgotten’)
  • Article 18: Right to restriction of processing
  • Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing
  • Article 20: Right to data portability
  • Article 21: Right to object

Data breaches are something we always aim to avoid however it is important to acknowledge that you cannot guarantee 100% that you’ll never have a data breach of some type. Under Articles 32 and 33 of GDPR you need to make sure you have processes in place to deal with data breaches and more importantly ensure you report them to the right authorities and people within the allowed time.

CRM can help you meet your obligations under GDPR – by enabling workflow and businesses process for managing Rights and Freedom Requests and Data Breaches. Let’s take a look at how you can create those simple workflows and processes.


Right and Freedoms “Data Subject Access Requests”

GDPR states you must respond to a Data Subject Request within 30 days. Relying on emails, paperwork or spreadsheets to manage these requests can be dangerous and risk the loss of requests or missing deadlines. 

CRM can help: you can implement an effective business process in CRM to manage and keep track of all Subject Access Requests. In Workbooks for example, all it takes is a simple workflow to record the entire process of a data subject request to not only ensure you are meeting your obligations but can also evidence this at any point in time.


All the information and engagement related to the request is recorded in Workbooks allowing full visibility of the process from start to finish and ultimately measure how the process was handled against SLAs. You are able to document and evidence what has been done when. You can create email templates that acknowledge the request, that request validation of the requestor identity etc. And those could be automated based on the previous action being completed, using our process automation engine.

text-box2.pngData Portability Request would be handled using Workbooks. This type of data may have been provided to you by a prospect through a web enquiry form or it could be from a candidate that submitted an application form."Times New Roman";mso-fareast-language:EN-GB”>

Calibri;mso-fareast-font-family:"Times New Roman";mso-hansi-font-family:Calibri;
mso-bidi-font-family:Calibri;color:black;mso-fareast-language:EN-GB”>In this example, we received a person’s information through a free trial form. We identify the data fields we need for the report. In this case it would be First name, Surname, Email, Telephone and Company.


We must ensure we verify the requestor’s identity. Depending on what information we have received this can be done in different ways, but in this example, we can only use the requestor’s email address to do so. We send the person an identity verification request email asking to confirm that the request was originated by them. In Workbooks CRM you can create templates specific to your GDPR workflow, which can be found on the Send Email tab as shown below. This will not only save you time, but you can ensure the correct communication is being sent. 


Once they have confirmed their identity, we can then use the report we created previously (from the data fields on the web form) to export the specific data. In Workbooks you can configure this so that it is on a tab in the case record and will only show the data submitted through the free trial form.




Similarly, to reply back to the person’s identification confirmation we can pre-populate the name and the date we aim to complete the request by from the case. 


To send the requested information you could use the below template where you will notify them that the file is password protected and that the password will be sent to them through another channel for example SMS. 



Processing Data Breaches in Workbooks

As a business it is crucial to be one step ahead and have a process already in place to deal with data breaches rather than try and figure it out when it happens. We strongly recommend you implement an Instant Management Response process and this can be done in CRM. 

We will use an example so you can see how Workbooks can be used to manage this process and make life a little easier for your teams and help your organisation remain compliant. 

You can set up an Incident Management workflow which will enable you to record the data breach that occurred, assess the data breach, report to ICO and communicate to the data subject.  


In Workbooks you can create a Case record type tailored to a data breach incident. 


You will be able to record the details of the data breach in the GDPR analysis section, which will help you decide on the next course of action. As you can see on the record we can track what is our GDPR Data Role, Breach Type, Breach Impact and who we need to communicate the data breach to. This information will ultimately define whether or not you need to report this to the ICO, the data subject or any other party i.e. another Data Controller. 

You can also use the KPI’s functionality to ensure you are completing the process within the legal timeframe. Depending on the severity and type of breach you will need to report this to the relevant authorities within 72 hours so this will help you track the process and ensure you are meeting the deadline. 

Furthermore, Workbooks make it easier for your Management team to keep track of any GDPR cases with a simple dashboard that tells you whether you have met your SLAs and this can be the 30 days for a rights & freedoms request or the 72 hours for a data breach incident. 


We recently ran a webinar to discuss Supplier Assessments, Data Subject Access Requests and Data Breaches and how CRM can help. To access the recording, click here.

.align-right {
margin-left: 10px;

.sidebar-block {
display: none;