Some of the toughest decisions organisations made during the COVID-19 pandemic have been those impacting their staff. Millions of workers were furloughed and millions of more jobs were cut, particularly in hard-hit industries such as travel. These disruptions are expected to continue.
Among the many serious impacts of the pandemic, one that few would have predicted, is a surge in Data Subject Access Requests (DSARs). We are seeing a notable spike in requests as disgruntled individuals seek data to build a case for wrongful dismissal. Furloughed, laid off, and terminated employees have submitted DSARs to prepare for potential future action or because they feel they were treated unfairly.
We anticipate this number will continue to increase, so businesses must deal with DSAR increases even as their operations are hampered by the pandemic. Research that Guardum by DFIN commissioned found that 75 percent of Data Protection Officers (DPOs) are struggling to meet data compliance obligations. Further, 60 percent of DPOs feel they do not have the resources to cope with the demand and 30 percent fear being overwhelmed by a flood of DSARs once the pandemic eases.
The good news for companies dealing with an influx of DSARs is that they will be able to use the General Data Protection Regulation’s (GDPR’s) built-in protections for exceptional circumstances and fulfil requests in 90 days rather than 30 – although they must still respond to requesters in the initial timeframe.
However, most businesses will continue facing significant barriers to completing requests. As with all other areas of the organisation, they need to have a solid remote working contingency plan to handle DSARs when operating with limited staff and resources.
There still needs to be a high level of coordination with the DPO to ensure cases are fulfilled completely and nothing is missed. We have encountered cases where DSARs were not completed correctly and staff did not wait for reviews from the DPO.
Companies that retain a significant amount of physical assets, such as filing cabinets of personnel files, will struggle to fully comply with DSARs. Even digital assets may be hard to access if they include large files and individuals have poor Internet bandwidth at their homes.
Looking to the future
Many businesses will have been caught out, not only by the influx of DSARs caused by the pandemic but also the practical limits on coordinating and fulfilling requests. Organisations must get to work on future-proofing their operations in the event of further disruptions or more requests.
An important first step is to move away from paper-based files, with the ultimate aim of having digital copies of all physical assets. Although digitising everything is no small task, it will greatly improve the management of DSARs remotely, as well as data privacy and security. Remote desktops are one of the best solutions for accommodating large file sizes, as they can be located on the same server and avoid data transfer issues.
With everything digitised and accessible online, the next priority is to start implementing automation to deal with as much of the DSAR process as possible. Automated tools can take on the heavy lifting of locating files relating to a request and carrying out specific demands such as deleting information. Locating and classifying all relevant personal data on the system will make this even more efficient, as well as allow the automatic application of actions such as data anonymisation or redaction.
With many organisations already likely to receive an influx of DSARs, taking steps to automate and future proof data management and governance as soon as possible will leave businesses better equipped, whatever the future holds.