GDPR

GDPR and the rise of DSARs in business sector

By Business & Finance
23 October 2019

Data Subject Access Requests (DSARs) have been on the rise since the introduction of the General Data Protection Regulation (GDPR), but many organisations are struggling with them, writes Inés Rubio.

What is a Data Subject Access Request and how can organisations streamline the process? 

Data Subject Access Requests (DSARs) have been on the rise since the introduction of the General Data Protection Regulation (GDPR) over a year ago and many sectors from legal to marketing and Human Resources are feeling the impact as consumers become more aware of their personal data rights. While some organisations will have a Data Protection Officer (DPO) or Privacy Officer (PO) appointed to manage a DSAR those that don’t can struggle as they become inundated with requests. 

Personal data is wide ranging and can include CCTV data, phone call data, email data, log data, order history data or social media content. Specific to employees it can also cover all documents where their name is mentioned from their first interview to meeting notes, emails and any work they have performed including communications on team collaboration software tools.

Although it should be relatively simple for a business to search for personal data and provide it to the data subject who has requested it, in practice, the process can often be timely and complex if organisations don’t have the necessary knowledge, tools or resources to meet the demand.

Ines Rubio, Head of Information Management and Incident Response, BSI

The right to access and how organisations need to comply 

A DSAR is the process by which European citizens and residents can obtain a full account of all personal data that an organisation holds on them, an explanation as to why this information is being held, and copies of this data. Under the GDPR, companies are expected to complete DSARs within one month – previously it was 40 days.

With the number of requests understandably predicted to rise over the coming year as more people become aware of their rights under the GDPR, business professionals need to be prepared. They need to know where personal data is stored and what the data contains in order to fulfil a request. 

The way in which an organisation can receive a DSAR has expanded outside of the traditional postal option with the introduction of the GDPR. Requests can be made by email, in person or by phone, through a live chat portal, or even via social media channels.

Advice on best practice when responding to a DSAR 

Preparation is key when it comes to DSARs. Professionals need to be ready and aware so that minimum pressure is placed on them when they are required to respond to a request. By streamlining the process and establishing working methods and data flows that complement existing processes, organisations can reduce the impact on resources. 

Businesses need to work with their nominated Data Protection (DPO) or Privacy Officer (PO) or the core data management and privacy team, to act as the primary point of contact for DSARs.  If an organisation doesn’t have one appointed, it must consider a person within the company who could take on the responsibility with the necessary skills or consider outsourcing the role. 

Implementing the following information will ensure that a DSAR is responded to in an efficient manner by improving current processes that are in place and creating a structure for those that have none:

  • A vital first step is to know where the organisations data is stored, what the data contains and understand why its being held and what it is used for. Once this is known the data can be scoped accordingly based on the DSAR that has come through.
  • It’s important to map the company’s infrastructure and data flows to know where it is stored, how it is being accessed and how it is being protected.
  • When other individual’s sensitive data is present as part of the DSAR search organisations need to be vigilant and remove or redact/mask the data to ensure it is not disclosed to an unauthorised person.
  • Consider supporting tools to make it more efficient to access, search and export the data requested with the use of software. Implementing a managed DSAR automation service will streamline the process providing centralised cloud applications for searching, reviewing, analysing and automated redaction. It can assist with: 
    • Filtering the data via key words / data analytics
    • Processing data types used by the organisation: Slack, Teams, WhatsApp 
    • Deduplication of data 
    • Having an audit log of actions taken during the review 
  • Provide training and awareness for all staff members so that they are aware of what a DSAR is and who within the organisation would manage it.  This is vital for customer service employees as they are typically the main point of contact for organisations. They may receive a request but not necessarily understand its importance. This may result in a situation where the DSAR is not shared with the relevant team member to respond to within the required timeframe.

Streamlining the DSAR process and establishing working methods and data flows that complement existing processes enables organisations to reduce the impact on their resources and ensure that a request is completed in a compliant and timely manner.

About the author: 

Inés Rubio is the Head of Information Management and Incident Response at BSI. Inés manages a team of technical consultants in providing solutions to a broad range of clients and industry sectors covering legal, financial, public bodies and private corporations.