The General Data Protection Regulation (GDPR) has brought a lot of attention on Data Subject Access Requests (DSAR) since it was introduced almost a year ago.
Organisations need to be prepared, know where personal data is stored and what the data contains in order to fulfil a request from clients, consumers or employees.
Whilst this is great in theory, it doesn’t always play out in practice, resulting in excess use of internal resources for businesses.
By streamlining the process and establishing working methods and data flows that compliment existing processes, organisations can reduce the impact on resources.
What is a DSAR?
A DSAR is the legal mechanism which allows European citizens and residents to obtain a full account of all personal data an organisation holds on them, an explanation as to why this information is being held, and copies of this data should they wish.
Under the GDPR, companies are expected to complete DSAR’s within one month – previously it was 40 days.
The way in which organisations can receive a DSAR expanded outside of the traditional postal option with the introduction of the GDPR also. Requests can be made by email, verbally in person or by phone, through a live chat portal, or even via social media channels.
The sources of data within a business are expansive and include CCTV data, backup data, phone call data, web chat data, log data, emails, CRM records, or order history.
When a DSAR comes from an employee it can also include all emails, any meeting minutes where the employees name is mentioned or documents or correspondence relating to any work they have done.
Reasons why responding to a DSAR can be challenging
It should be reasonably “simple” to search for personal data and provide it to the data subject who has requested it. However, in practice, the process is more complex and here are some of the reasons why:
- Organisations sometimes use the same files such as Excel spreadsheets to store personal data related to multiple individuals. This is particularly common with data related to employees. Any sensitive data related to other people will need to be removed or redacted from the documents which is a slow and intensive process if done manually.
- Companies may know where their data is but may not always have the right tools in place to easily access, search and export the data in scope for a DSAR.
- If an organisation doesn’t have the right tools in place it can often be too late to source and implement one when a request is received.
- If a large amount of human resources is needed to respond to a DSAR it can consume their day. This can potentially increase the risk of sensitive data being shared if done in panic mode with no processes or best practices in place and no formal quality checking mechanism carried out.
Streamlining DSAR responses
Preparation is key and a DSAR should not place a heavy burden on organisations that are ready and aware of what is required to respond and have identified the tools to assist them.
Having the following ready should help organisations respond in an efficient manner:
- Adequately map data flows to understand where the data is stored and what the scope is
- Robust processing and searching capabilities
- Automated redaction capabilities to reduce the amount of manual work to remove additional sensitive data related to individuals other than the requestor.
- For larger organisations implementing a managed DSAR automation service is an efficient way of availing of the best technology to streamline the process including centralised cloud applications for searching, reviewing, analysing and automated redaction. This type of approach is a tailored process and workflow whereby the end user’s focus and efforts would be primarily at Quality Control (QC) stage, instead of worrying about the process of searching, manually checking and redacting every document and wasting time on the false positives that come up.
Implementing a streamlined DSAR process, whether you are a large or small organisation, will not only reduce the impact on resources it will also ensure that the requester receives all relevant details in a timely and compliant manner.
Inés Rubio is head of information management and incident response at BSI Cybersecurity and Information Resilience.