Central versus LocalAs mentioned in an earlier blog by my colleague Pieter, the easiest way to manage the data is have it centrally managed. However most companies have to deal with their existing infrastructure, and will have to deal with multiple systems where personal data is stored and/or processed. Of course, the size and complexity of the organization also makes an enormous difference – for international players, the challenges are much greater than for small local enterprises. On the other hand, most of the personal data is for local usage (local clients, employees) which are probably stored in a local system only and/or local entity within the global system. In real-world data removal requests, this implies that most business will have to check the several systems/environments to be sure the data removal request is handled correctly across all systems. Your business should by now have a correct working procedure where data is stored, what kind of personal data is stored in these environments, and who is the responsible person for any data information/removal requests for that environment.
Removal request processUsually a data removal request is received by a local sales office or customer call center. Important is that these employees are well trained how to handle these requests: they should have the agreed process at hand, and forward the request to the centrally assigned person responsible within the organization responsible for GDPR related requests. This central coordinator distributes the request to the various data owners within the various systems. All these data owners must respond with the agreed time slot back to the coordinator.
Thereafter the original requester can be informed about the successful removal, probably via the central coordinator.
Interesting side note is that all communication around the removal request probably will contain the information which needs to removed, so this will trigger a new trail of data (in the email- or ticketing system). Since there is a legal ground to store this data (prove that the data removal process is handled correctly) we can assume this data trail should be kept for future reference for some time.