Following the second anniversary of General Data Protection Regulation (GDPR), guest contributor David Thomas, privacy and cyber consultant and former DPO, shares his perspective on how process, people and technology make up the three essential ingredients for successful DSAR management.
It has been several years since GDPR was passed into law. Yet organizations continue to adapt their operations to fulfill the obligations it has introduced. Organizations have experienced a huge cultural shift in how privacy is addressed. One of the most visible changes has been the increasing importance of the Data Subject Access Request (DSAR).
How do you handle data subject access requests? Most organizations have, by now, put in place their approaches for dealing with DSARs. In many cases, processes are piecemeal and rudimentary. Systems put in place are often designed to handle a consistent influx of DSARs. They were rarely stress-tested to see what happens when the number of requests suddenly increases. In present times, this is an increasing possibility as organizations are impacted by DSARs from employees who have been laid off or are on furlough due to the COVID-19 pandemic. Being unable to scale up quickly to deal with a sudden spike in requests puts an organization at risk of complaints and regulatory scrutiny.
In my experience the three essential ingredients for successful DSAR management are as follows:
1. Process: Is it fit for purpose?
One of the challenges when planning DSAR management is that volumes can be very hard to predict. An organization might receive no new requests for months, before suddenly receiving several very complex ones, all at once. DSAR strategies must therefore have breathing room built in their processes to accommodate unpredictable rises and falls in demand.
One of the most important DSAR management tips is first to assess whether the current DSAR process can cope with sudden changes in volume or unexpected complications. For example, in one case I encountered, a DSAR arrived in the post addressed to the privacy team. Several days were wasted before the request was forwarded because there was no provision in place for dealing with physical DSAR correspondence. The mailroom had trouble locating the privacy team as they had limited access to intranet services. In a time-critical situation, where you have 30 days to respond, any delay is bad.
2. People: Collaboration is key
It is equally important to understand how people in different departments communicate and collaborate. Many requests need involvement from the IT department, while DSARs raised by existing and current employees need the attention of HR, and potentially also the organization's legal and privacy specialists.
With so many parties involved, it is essential to have good governance in place to manage collaboration between departments. All parties must be made to appreciate the importance of DSARs. Communication is pivotal in this as well. If a DSAR begins to have an increasing legal dimension, multiple teams must adopt a restrained approach in discussing the subject matter to avoid prejudicing themselves. Training and awareness in this respect are vital.
3. Technology: Automate as much as you can
Alongside having the right people and processes, handling DSARs also requires the right technology. Completing DSARs can be very time-consuming unless you have the right tools. By far the most time is spent searching through systems for relevant data. This is particularly true when the request is complex, requiring access to copious amounts of data from multiple areas of the organization.
Manual searches are a primary waste of resources while default operating system search tools are not designed to support the kind of targeted activity required for DSAR fulfillment. Searches involving thousands of files take ages to process. Likewise, when it comes to data redaction, some organizations still edit individual documents manually using Microsoft Word or Adobe Acrobat. Such an 'elbow grease and long shifts' approach can only carry you so far.
A better approach is to consider using specialized tools that can complete searches quickly, return accurate results and automate as much of the process as possible.
In this respect, a solution like Guardum by DFIN really stands out. It quickly locates the required data from different repositories and systems, automating essential but time-consuming tasks like data redaction. With Guardum, data points in all relevant files can be redacted simultaneously. Files can even be redacted by default as soon as they are first created and saved on the system.
Guardum also neatly addresses the collaboration issue, allowing multiple parties to work together to share and edit data as needed. All activity can automatically be fed into an audit trail for examination by compliance auditors or legal professionals, reducing the need for and volume of email conversations.
In summary, successful DSAR management starts with sound procedures, good collaboration, and governance across multiple teams underpinned by good automation tools such as Guardum. Together, these three ingredients give organizations the flexibility needed to handle even the biggest avalanche of unexpected DSARs.