Preparing Your Organization for Right of Access

Nov 14, 2014

This blog text aims to show how companies should provide consumer access in accordance with the law and good practices. The consumer data access is one of the main fundamental rights of the Data Protection Act where individuals are seen as the owner of their personal data. At the same time consumers have become more aware of the value of their personal data. If this consumer right is neglected or left without prejudice, many of the potential uses of personal data and innovations which have not yet been explored can be threatened.

Without internal organization process these requests might cause extra burden, extra effort, hassle and additional costs on company’s daily business operations. Developing a Consumer Request Process inside an organization makes these requests cost efficient and organization effective way to respect consumer rights. But where to start?

Few good starting points are mentioned below:

  • Responsible persons – First you need to determine a team or person responsible of these requests, which eases the burden from other organizational parts. In the current environment where information can be spread out amongst several systems in the organization, the key is to define roles for the process from different parts of the organization. These stakeholders are usually from Marketing or Customer Care units.
  • Information management systems – Since the right of access has been there for few decades, your information management systems should, by now, facilitate dealing customer access requests. Not only should your systems have the technical capability to search for the necessary information for responds, but they should also operate by reference to effective records management policies which allows you to track received and responded requests.
  • Recognizing customer access request – Consumers can make requests in different formats and they can be received via different channels. This makes the identification of these requests difficult. Guidance on organization’s website on making customer access request, along with an available form, are good ways to help organization recognize these request and effectively handle them.
  • Training – To make this organization wide knowledge, consumer request process should be as a part of general data protection training, while more detailed training should be provided to relevant stakeholders in the organization.

Why should you have a process for customer access requests?
If there is no defined process on handling customer access requests, it is also likely that an organization fails to comply with them. Well-designed process allows you to get rid of time-consuming ad-hoc case solving, and most of all, successfully comply with this obligation without interference of the data protection authorities.

Your organization should see data access requests as an opportunity to improve customer service and service delivery but also as a possibility to increase levels of trust and confidence in information-handling in your organization. The only way is to be open to individuals about the personal information you hold about them by giving consumers the right to view, correct and delete the personal data stored about them. This involves systematic changing in the way companies think about the ownership of personal data.


Information commissioner’s officer (ICO) – Subject access code of practice. Dealing with requests from individuals for personal information.

Finnish Data Protection Ombudsman.