The General Data Protection Regulation, or GDPR, has been in effect in the EU since May 25th 2018. There is a lot of information out there on the GDPR and specifically on the right of access by the data subject under Article 15, otherwise commonly known as Data Subject Access Requests (DSARs), but many of our clients are asking the same thing.
How do they respond to them in an efficient, effective, repeatable and defensible manner, to help to control costs whilst at all times underpinning their accountability obligations?
There may be some truth in the fact that the rules are not that different from what they were before the GDPR went into effect last year; however, the new regime did create some new challenges specific to DSARs, including:
Elimination of the cost barrier and also of the requirement for requests to be in writing
Reduction of timelines from 40 days to 1 month, extendable in limited circumstances
Rights and freedoms of others to be considered
Increased list of transparency information required
Increased awareness of data subjects around their rights
All of these challenges come amidst a climate of increased awareness around data subject rights in a social media driven world, with the potential to increase organisational burdens, such as administration costs and an enhanced reputational risk.
DSARs currently have no formal public reporting requirement, so gathering statistics can be a challenge. Anecdotally, law firm clients we have spoken to are seeing between one and four new requests a week, with an average duration of three to four months. Generally, these are the more challenging DSARs that require external legal input, and does not account for those handled internally by corporations or other organisations.
The type of DSAR that most organisations look to address with Everlaw have a theme in common and that is a focus on unstructured data, which is frequently voluminous and over-inclusive even if previously classified at a high level through information governance processes. This is where the Everlaw platform can enhance your people and process with technology and really begin to help.
We will now consider three DSAR use cases with a focus on Workflow optimisation and automation:
Searching for Disclosable Data
Legal document review and the processes around it are potentially the greatest costs in a case, so using technology to help to reduce the effort can make a big difference, and having less documents reduces the time to completion.* To help to accomplish this quickly and easily, Everlaw offers powerful search tools. Searches from the most simple, for a novice user, to the most complex, for power users, are equally easy to achieve.
A specific search functionality that Everlaw includes is the ability to perform a Search Term Report. This enables an end user, such as a DSAR case lead, with just minutes of training, to run multiple content and/or metadata searches simultaneously.
Search Term Reports such as these are a hugely powerful tool, particularly when looking to handle repeated or voluminous requests.
Identification of Personal Data and Batch Redaction
The definition of personal data under the GDPR is very broad and includes any data that directly or indirectly identifies or makes a data subject identifiable, such as names, identification numbers, location data and online identifiers. The ability to quickly identify and automate the redaction of personal data can potentially save an organisation both time and money.
Everlaw makes it easy to identify and redact personal data across all the documents in a subset, or even at case level, identifying and then redacting, those documents that respond to the personal data regular expressions that are built into the platform.
Prepare and Deliver Article 15 Responses to Data Subjects
Supplying the actual documents that contain the requesting data subject’s personal data are vital to a successful DSAR response. Article 15 DSARs require that both copies of the documents, along with various transparency elements, are provided to the data subject in an appropriate and timely manner.
StoryBuilder, Everlaw’s narrative building toolkit, creates the opportunity for teams to collaborate seamlessly on DSAR responses by using capabilities such as chronology and outlines.
DSAR response templates can be created collaboratively in a StoryBuilder Outline where users can quickly insert the documents promoted from a Storybuilder Chronology to sit alongside the requests; giving greater structure and clarity to both the organisation and to the data subject.
The package can then be exported to PDF, for electronic sharing or printing and it is also possible to provide a more traditional document production through a secure link, or even to give the data subject limited access to the platform.
Getting Started on Everlaw
Everlaw helps to maximise efficiency during legal matters including investigations, litigation, arbitrations and, as discussed, data subject access requests. Everlaw includes all of our powerful tools and capabilities at no additional cost. To learn more about using Everlaw to manage your DSAR workflow, watch our on-demand webinar.
*Maura R. Grossman & Gordon V. Cormack, Technology-Assisted Review in E-Discovery Can Be More Effective and More Efficient Than Exhaustive Manual Review, 17 Rich. J.L. & Tech 11 (2011).