Any organisation that does business with someone in the European Union (EU) will by now be familiar with the General Data Protection Regulation (GDPR), enacted in 2018 in an attempt to standardise the data protection regime in the EU. The GDPR not only affects organisations within the EU, but also those that process and store the personal data of individuals located in the EU, no matter where the organisation is located.
What is a Data Subject Access Request (DSAR)?
The GDPR defines a data subject as “an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” These individuals have the right to access personal information through what is known as a Data Subject Access Request (DSAR); these rights are extensive but are not unfettered.
How GDPR and other regulations figure with DSAR
The GDPR is not the only regulation relating to the protection, privacy, and security around individuals’ data that organisations, be they companies, governmental entities, or otherwise, need to be aware of. The UK Data Protection Act 2018 directs how the GDPR applies in the United Kingdom and is of even greater importance since the UK has left the EU following its recent Brexit negotiations. Similar to the GDPR, the California Consumer Privacy Act (CCPA) includes DSAR requirements for California residents. Under the provisions of the CCPA, any organisation that holds personal data about a California resident must comply with a DSAR request, no matter where in the world the company is located.
Focussing back on the GDPR, a DSAR submitted under Article 15 may be made in writing, email, via an online form, orally, or through some other type of communication to any organisation that processes the personal data of individuals located in the EU. Upon receipt of a DSAR, an organisation must respond to it within the space of a calendar month (with some limited scope to extend), and in order for this to make business sense, in terms of both time and budget, this needs to be carried out in an efficient, effective, repeatable, and defensible manner, whilst at the same time attempting to control costs and adhere to any applicable accountability obligations.
Challenges with DSARs
The challenges of responding to DSARs amidst an increased awareness of data subject rights in a world driven by social media can drive up administrative costs and expose an organisation to the reputational and economic risk of non-compliance. DSARs involving large amounts of unstructured data are particularly challenging and therefore suited to the benefits that technology platforms can provide to those who must respond to them.
Whilst organisational measures are, of course key, some of the biggest DSAR response challenges that can be addressed through the appropriate application of technical measures — for example, automation — include:
Searching for Disclosable Data
Document search and review is potentially the most time-consuming and expensive part of responding to a DSAR request. However, utilising technology to help to streamline the effort is cost-effective and reduces the number of documents and the time required to complete the response. Powerful search tools that form part of appropriate tooling allow an end-user to run multiple content and/or metadata searches simultaneously, especially when handling repeated or voluminous requests.
Identifying Personal Data
The scope of personal data under the GDPR is broad, and Identifying it can be a real challenge. Whilst dealing with DSARs can put a significant strain on an organisation’s time and resources, the ability to utilise technology to identify and automate the redaction of personal data quickly can save an organisation both time and money. The use of appropriate technology tooling helps to facilitate the location and redaction of personal data across document sets, helping to ready the content for review and eventual delivery to the data subject.
Delivering Responses to DSARs
The ICO requires that both a copy of the personal data and various transparency elements be provided to the data subject in an appropriate and timely manner. Supplying the requesting data subject’s personal data in a timely, adequate, and complete manner is critical to a successful DSAR response. The use of appropriate technology allows teams to collaborate seamlessly on DSAR responses to help to deliver greater structure and clarity to both the organisation internally and the data subject on receipt of any personal data.
No matter what organisations adopt as their point of view around DSARs and their approach to data protection and privacy, they should consider refining their approach as they go. With an eye on the regulators and courts, and, given the growing security requirements, organisations should document what they did and why they did it. This may help the organisation in the future if internal opinions shift or they find themselves in a discussion with the regulator or in a public forum such as court or social media.
To learn how the Everlaw platform can help you manage workflow challenges related to DSARs, check out our white paper, “Introduction to Data Subject Access Requests,” today.