The growing emphasis on data protection, especially under the GDPR, has made privacy management a critical focus for businesses in the UK and EU. In furtherance of addressing such privacy management needs, the European Data Protection Board’s (EDPB) recent enforcement actions highlight a core challenge: how to ensure that businesses fulfil individuals’ rights to access their personal data. This right of an individual in not just a mere legal requirement — it has evolved to form a cornerstone of trust between businesses and their customers. Let’s explore how companies can adapt, prioritise people, and take practical steps to improve privacy management.

Privacy is More Than Compliance

Data privacy is about respecting people’s rights and building trust. The EDPB underscores this by describing the right of access as a means for individuals “to be aware of, and verify, the lawfulness of the processing of their personal data”. While this right was meant to empower individuals, the EDPB found that many businesses are not fully prepared to meet these obligations. Gaps in understanding and implementing this right can erode trust and expose organisations to compliance risks.

A proactive, people-first privacy approach goes beyond compliance, using privacy as a tool to strengthen customer relationships. The shift from a "compliance mindset" to a "trust-building mindset" is one of the most impactful changes businesses can make.

Practical Steps for Better Privacy Management

1. Streamline Tools and Processes

The EDPB found that many organisations lacked robust internal procedures for handling access requests, often because these requests were rare. However, as they stress, “Controllers should be prepared to handle access requests even if the request is not submitted through a dedicated data protection channel”​.

To address this:

• Implement digital tools: Privacy management software can streamline requests, and self-service portals allow individuals to access their data easily.
• Regular audits: Review your data processing activities and ensure all data repositories are accounted for.

By adopting these tools, businesses can handle requests efficiently while maintaining compliance.

2. Clarify Retention Policies

Many businesses, according to the EDPB, struggle with retention policies, resulting in either excessive retention or premature deletion of access-related data. They recommend that “controllers should fix a retention period for access request communication based on objective criteria and document their reasoning”​.

Practical actions include:

• Setting clear, well-documented retention periods.
• Separating request-related data from other customer data to avoid confusion.

3. Train Your Team

The EDPB found that some employees were unaware of how to identify access requests, especially when submitted through informal channels like email. They suggest that “all employees are trained to recognise an access request no matter the channel it is submitted through”​.

To address this:

• Conduct regular training sessions on GDPR rights and handling access requests.
• Create step-by-step guides for escalating privacy-related inquiries.

4. Improve Accessibility and Transparency

Barriers like mandatory web forms or unclear communication can deter individuals from exercising their rights. The EDPB highlights that some organisations require specific formats for requests, which can be seen as obstructive. Instead, they advise: “Controllers should ensure that they are prepared to handle access requests even if the request is not submitted through a dedicated data protection channel”​.

To improve accessibility:

• Offer multiple channels for submitting requests, including online, phone, or in-person.
• Use plain language guides and FAQs to clarify the process for customers.

Regional Implications: UK and EU Context

While the GDPR remains a standard for EU organisations, UK businesses must ensure alignment with post-Brexit data protection laws. The EDPB’s findings stress the importance of coordinated guidance from supervisory authorities across the EU, particularly for cross-border operations. They recommend “raising awareness about [GDPR guidelines] is necessary, both at national and EU level”​.

Final Thought: People First, Always

As the EDPB states, “Raising awareness about [GDPR guidelines] is necessary, both at national and EU level”​. Privacy management isn’t just about avoiding penalties—it’s an opportunity to foster loyalty and trust. By prioritising individuals, simplifying processes, and training teams, businesses can transform privacy from a compliance obligation into a competitive advantage. Start small, think big, and always put people first.