Following the second anniversary of General Data Protection Regulation (GDPR), guest contributor David Thomas, privacy and cyber consultant and former DPO, shares his perspective on how process, people and technology make up the three essential ingredients for successful DSAR management.
It has been several years since GDPR was passed into law. Yet businesses continue to adapt their operations to fulfil the obligations it has introduced. Organisations have experienced a huge cultural shift in how privacy is addressed. One of the most visible changes has been the increasing importance of the Data Subject Access Request (DSAR).
Most companies have, by now, put in place their approaches for dealing with DSARs. In many cases, processes are piecemeal and rudimentary. Systems put in place are often designed to handle a consistent influx of DSARs. They were rarely stress-tested to see what happens when the number of requests suddenly increases. In present times, this is an increasing possibility as businesses are impacted by DSARs from employees who have been laid off or are on furlough due to the COVID-19 pandemic. Being unable to scale up quickly to deal with a sudden spike in requests puts an organisation at risk of complaints and regulatory scrutiny.
In my experience the three essential ingredients for successful DSAR management are as follows:
- Process: Is it fit for purpose?
One of the challenges when planning DSAR management is that volumes can be very hard to predict. A business might receive no new requests for months, before suddenly receiving several very complex ones, all at once. DSAR strategies must therefore have breathing room built in their processes to accommodate unpredictable rises and falls in demand.
An important first step is to assess whether the current DSAR process can cope with sudden changes in volume or unexpected complications. For example, in one case I encountered, a DSAR arrived in the post addressed to the privacy team. Several days were wasted before the request was forwarded because there was no provision in place for dealing with physical DSAR correspondence. The mailroom had trouble locating the privacy team as they had limited access to intranet services. In a time-critical situation, where you have 30 days to respond, any delay is bad.
- People: Collaboration is key
It is equally important to understand how people in different departments communicate and collaborate. Many requests need involvement from the IT department, while DSARs raised by existing and current employees need the attention of HR, and potentially also the company’s legal and privacy specialists.
With so many parties involved, it is essential to have good governance in place to manage collaboration between departments. All parties must be made to appreciate the importance of DSARs. Communication is pivotal in this as well. If a DSAR begins to have an increasing legal dimension, multiple teams must adopt a restrained approach in discussing the subject matter to avoid prejudicing themselves. Training and awareness in this respect are vital.
- Technology: Automate as much as you can
Alongside having the right people and processes, handling DSARs also requires the right technology. Completing DSARs can be very time-consuming unless you have the right tools. By far the most time is spent searching through systems for relevant data. This is particularly true when the request is complex, requiring access to copious amounts of data from multiple areas of the business.
Manual searches are a primary waste of resources while default operating system search tools are not designed to support the kind of targeted activity required for DSAR fulfilment. Searches involving thousands of files take ages to process. Likewise, when it comes to data redaction, some businesses still edit individual documents manually using Microsoft Word or Adobe Acrobat. Such an ‘elbow grease and long shifts’ approach can only carry you so far.
A better approach is to consider using specialised tools that can complete searches quickly, return accurate results and automate as much of the process as possible.
In this respect, a solution like Guardum by DFIN really stands out. It quickly locates the required data from different repositories and systems, automating essential but time-consuming tasks like data redaction. With Guardum, data points in all relevant files can be redacted simultaneously. Files can even be redacted by default as soon as they are first created and saved on the system.
Guardum also neatly addresses the collaboration issue, allowing multiple parties to work together to share and edit data as needed. All activity can automatically be fed into an audit trail for examination by compliance auditors or legal professionals, reducing the need for and volume of email conversations.
In summary, successful DSAR management starts with sound procedures, good collaboration, and governance across multiple teams underpinned by good automation tools such as Guardum. Together, these three ingredients give organisations the flexibility needed to handle even the biggest avalanche of unexpected DSARs.
