Ask anyone responsible for Data Subject Access Requests (DSARs) and they will tell you their biggest challenge is responding to them in time. And no wonder. Searching through vast amounts of information sources to locate and extract the data specific to the subject, while responding within the statutory 1 month, is a race against the clock. Failure means having to ask for an extension or suffer the prospect of penalties imposed by the regulator.
Understanding the time limits and penalties
Under the General Data Protection Regulation (GDPR), DSAR response time is limited to one calendar month for a single request. A "calendar month" is defined as a period of four weeks, or 28 days. When it comes to multiple requests or requests that are deemed to be exceptionally complex, the DSAR response time may be extended to a maximum of three calendar months, or 89 days. For example, if a subject requests a rectification of data that has been found to be inaccurate, the entity receiving the request has 28 days to find and correct all instances of that data, unless an extension is requested and granted.
However, under the California Consumer Privacy Act (CCPA), DSAR response time is extended for most standard requests. Under the CCPA, the DSAR time limit is 45 days. If an extension is granted, DSAR response time is extended to 90 days. The exception is when consumers ask for the right to opt out, which must be fulfilled by the controller within 15 days without the possibility for extension.
The penalties for failing to comply with DSAR response time requirements can be especially onerous for companies. In the case of the U.K. GDPR and DPA 2018, the maximum fine for infringements was set at 17.5 million euros, or 4% of annual global turnover, whichever is greater. The EU GDPR establishes a maximum fine of 20 million euros, or 4% of global turnover, whichever is greater. In the case of the CCPA, companies are subject to a civil penalty between $2,500 and $7,500 per violation of the CCPA, including the DSAR mandate.
Find the data, wherever it is
Once the identity of the requester and their right to the information has been verified, the search for anything relating to them begins. Often this can be like looking for a needle in a haystack as their data could be in any of the files or documents an organization holds, both digital and physical. This could be letters, emails, application forms, subscriptions, or transcripts of any telephone conversations. Also, the chances are that this is scattered in various locations such as on-premises servers, in the cloud, or even a good old-fashioned filing cabinet.
Then there is the fact that very few of these documents are going to be mapped as containing information about the data subject. This means that information could be missed, which will not go down well with the requester (especially if they already hold the information being sought, which is a common tactic) or the regulator when they find out. This can result in legal action.
Once the data has been collected, any personal or sensitive information not connected to the data subject needs to be redacted or anonymized which is a hugely time-consuming process if you are not using the right tools.
Preparation is key
Gathering all this information manually, then redacting it, takes a large number of employee hours. To respond in time, some organizations throw additional manpower at the problem with one in five organizations estimating DSARs cost them up to $33,000 (approximately €28,000). Also, there is the possibility that the data provided will be incomplete.
To save time, stress and money, organizations need to put in place systems that enable them to quickly find sensitive information held in both structured and unstructured formats, wherever it is located. Guardum by DFIN can do this by scanning all data for personal information as soon as it hits the system, a solution that is especially effective across unstructured and difficult to process file types. This also applies to hard copies of data which, thanks to partner solutions, can be digitized and brought into a common environment for searching and classification.
With these processes in place, finding specific details about a data subject can happen automatically with the push of a few buttons. Guardum can also automatically redact any information so that this information is protected. All that is needed is a review of which data have been extracted to confirm redaction or anonymization is correct and then this can be sent to the requester.
When it comes to sending the relevant information to the requester, an organization has to include a report justifying its actions. However, many organizations are not doing this and in the event of a complaint, Data Processing Officers (DPOs) have to go back through their files to see why they sent out the information they did.
Guardum, in contrast, allows annotation notes to be created at the page, document, and phrase-level to record why the information was redacted or not while creating reports and highlighted copies of the documents. This enables DPOs to step back into a DSAR far more quickly and efficiently than any manual process.
With Guardum, completing a DSAR is quick and simple, freeing up valuable time and resources. While the clock is ticking, the 30-day deadline is no longer a race against time.