A Quiet Shift in Privacy Requests
There’s a quiet shift likely to happen with the introduction of IPP3A. Not the kind that arrives with urgency or sweeping change programmes, but something more subtle, something that shows up gradually, in inboxes and workflows, in small moments that start to accumulate.
At its core, IPP3A makes people aware that organisations hold their personal information. People are made aware that they can ask to see it and if it isn’t right, they can ask for it to be corrected.
Once people become aware, they tend to act. They request a copy of what’s held about them and question whether it’s accurate. Individually, these requests are entirely reasonable. They are, after all, the point. But collectively, they begin to change the shape of demand in a way many organisations aren’t quite prepared for.
Whereas your organisation used to historically get a scattering of privacy requests this now becomes more frequent. What was once manageable starts to feel persistent. And processes that have quietly worked in the background begin to show their limits.
Most privacy request processes were never designed for volume. They grew organically, they are often manual, sometimes fragmented, usually dependent on a small number of people who know how to “make it work.” A request comes in, someone picks it up, systems are searched, emails are drafted, deadlines are noted somewhere. It currently works, until the volume shifts.
The upcoming changes for IPP3A won’t create these issues. It simply brings a volume of privacy requests to expose them. Therefore, it is a good time now as you prepare for IPP3A for consider how will my privacy request process scale because the question is less about whether volumes will increase, and more about what happens when they do.
This is where a small amount of intentional design can make a disproportionate difference. Simple things like creating a single place where requests are logged and visible. Allowing workflows to move requests forward without needing to be chased. Making it easier to find information across systems. Using templates so responses don’t begin from scratch each time. Maybe it’s time to consider moving to a tool like OneTrust instead of using spreadsheets and emails to manage your process.
We also find a large number of organisations spend a lot of time manually completing redactions of documents. Maybe it’s the time to consider a tool for automating the redaction process such as NEC Redact with the potential increased volumes.
IPP3A doesn’t demand immediate reinvention of the privacy request process. However, the organisations that respond well to the increased demand are unlikely to be the ones that wait for the pressure to build. They will be the ones that review their processes now to streamline them and introduce tools that make things easier before they become necessary.