A customer contacts your business and requests a copy of all personal data you hold on him (Subject Access Request).
Here are some questions your organisation will need to have considered to comply with his request: -
What number did he ring? A dedicated SAR number you have set up? Or did he send an email and, if so, to which email address? Did you advertise these as part of your privacy notices?
Which department did you designate to deal with SARs? How did you roll out training and awareness across your organisation?
How did you verify the customer?
How did you record his request to ensure you provided a response within 30 days?
What is the process for getting all information together? Is it efficient? Multiple SARs could cause an administrative and costly burden and you are no longer allowed to charge for this.
How did you determine what information you can/can’t/should/shouldn’t send? In other words, did you finish your information audit, so you understand the legal basis for processing each piece of personal data?
Did you decide to get your DPO to approve what will be sent to the customer before it goes? Did you decide on a dedicated DPO or a DPOaas?
What guidance did you include with the customer’s personal information? Specifically, their additional rights to object, to rectification, to restrict processing and so on.
Did you write all your procedures to manage additional requests from your customer?