Playbook: The BD4D Standard

Control. We will delete Your Data, correct it, or transfer it to You if You ask.

Individuals or communities whose data is being collected, stored, used, and/or shared by an organization adopting the BD4D Commitments must also have the ability to request that their data be deleted, corrected, or provided to them.

• The organization must have a way for someone to submit such a request (often referred to as a “Data Subject Request”), if it holds data meeting the definition of “Your Data.” This may be via a general, regularly monitored email account, or it may be part of a larger, more complex compliance and fulfillment system.
• When a request is received, the organization must acknowledge it and respond in a reasonable timeframe. If an organization has the data described in the Data Subject Request, it should verify the identity and authority of the individual (or organization) making the request; however, care must be taken to minimize the amount of personal information needed to do so.
• Internally, there must also be a process in place with which to identify the requested data and all its locations, and then to remove, edit, or provide it securely to the data subject in a usable digital format, all at no cost to the requestor.

• This Commitment applies both to data that was initially collected or originated by the BD4D Adopter, and to data that the organization received from others that meets the definition of “Your Data.” If this data was received from others, the adopting organization should generally forward the request to the original data collector, regardless of whether they have also adopted the Commitments.
• Likewise, if the data has been shared by a BD4D Adopter to others, then the adopting organization should pass the request to the data recipients for appropriate correction or deletion.

• In all cases, the BD4D Adopter must respond to the request. However, there are some cases where the request itself may not be fulfilled, as noted below.
• If an organization does not save the data it collects, or no longer has access to it in a form where it can be identified for deletion, correction, or transfer, then any requests to do so cannot be fulfilled.
• Some organizations, especially in regulated fields like finance or healthcare, may be subject to data retention or records laws which require them to retain copies of the data for a certain amount of time. In this case, the organization must still respond to the requestor, explaining any such limitations.
• Data may have been made public, with the explicit permission of the data subject, or been aggregated as part of a larger dataset, such as those used for research or reporting. In these cases, a request to delete or correct the data will only affect any future updates or uses of that data in its original and identifiable form, not any existing aggregation, anonymized dataset, or publication.