Personal Data Subject Access Requests, or DSARs, can be a thorn in the side of any organization. The complexity of providing a response to a DSAR may stem from data volumes or the situation itself, especially if the DSAR is made as a precursor to litigation by a current or former employee. The level of effort involved in processing a DSAR in accordance with the expectations of the Data Protection Commission may be surprising to those who have never gone through the process before – and for those processing a large volume of DSARs, it quickly becomes clear that a structured and documented approach is crucial.
ALG Solutions has assisted our clients on hundreds of DSARs over the past few years. Our experience in delivering project-managed, technology-driven and process-driven approaches to DSARs has been invaluable in supporting our clients. Here are our top five tips for managing a successful DSAR response.
- act quickly Although a month may seem like enough to answer, the amount of work required, especially in the early stages, is often underestimated. When DSAR is received in a contentious situation, or when you don’t have a routine DSAR process in place, identifying, extracting and reviewing data can be a complex and time-consuming task. This typically involves multiple stakeholders in your organization, from IT to compliance to HR with possible input from the legal department. Although an extension of up to two months to this deadline may be granted for complex DSARs, the sooner you start to act (and ask for help), the more time you can devote to reviewing the data. which may need to be produced. .
- Find all the data Remember to identify all places where the data subject’s personal data might be stored – email and HR systems are easily identified as relevant data storage locations, but personal data may be stored in financial or customer databases, patient records, shared file servers, as well as less obvious locations such as recorded audio from phone calls or CCTV systems. The most commonly overlooked source of personal data is on controller-provided mobile devices – WhatsApp, Slack or text messages sent via work devices may be subject to a DSAR and should be taken into account.
- Spend time filtering In our experience with large-scale DSARs, technology is your friend. No matter how careful you are with range data, chances are you won’t transmit all of the data you’ve collected. Leveraging technology is the most effective approach to identifying personal data in your collected data, and the filtering itself can be approached in two ways. You may be familiar with the more traditional approach of using search terms, date ranges, or data types. However, more advanced technology using artificial intelligence can also be deployed. An example is the use of a technique called “grouping of concepts”, which groups documents into compartments based on the topics or themes they contain. It is then easy to spot which compartments of documents can be set aside or which compartments should be examined more closely for personal data. In order to decide on a filtering approach, it is essential to understand what the data subject is looking for with their request. If the data subject can limit their request to specific topics or types of data (for example, relating to an HR process), filtering will be much more effective in isolating the personal data that you need to find and that the data subject wishes to receive. .
- Decide on the writing approach Most DSAR responses will involve some level of dataset redaction in response to the request. This is usually to protect privileged or commercially sensitive information, or personal data of third parties. The extent of required deletions can be agreed upon based on a number of factors – for example, the type of document produced and whether or not it contains extensive third party information. More practical considerations may also come into play, such as the time and cost of deleting all third-party data, or the risks of minimizing the level of deletion. Whichever approach you decide to take with deletions, that decision should be made as early in the process as possible, so that deletions can be applied consistently to all data. Changing your mind about the drafting approach mid-course can lead to delays, as the work may need to be redone according to the new approach. ALG Solutions leverages technology to automatically apply redactions where possible, so that a consistent approach is built into the process and human error and costs are minimized.
- Record decisions Throughout the process of responding to a DSAR, many decisions will need to be made. For example, decisions about the scope of the request, how to filter the data, and even decisions about individual documents and whether or not they contain personal data of the data subject. It is extremely important to keep a record of all important decisions that have been taken as this record will allow you to answer questions that may be raised later by the data subject or the Data Protection Commission. Examples of decisions to be recorded include whether documents should be withheld due to exemptions (whether for reasons of privilege or another exemption under the GDPR), the reason for each deletion, and who made difficult decisions. regarding the response and why these decisions were made. Technology can also facilitate record keeping for a particular DSAR, including allowing decisions or records to be kept alongside the data itself. This means that for any particular document or file, the complete history of its collection, filtering, review and redaction can be automatically recorded by the technology and referenced at a later date. The software platform used by ALG Solutions, which is called RelativityOne, also enables collaboration between the ALG team and our client. This is very convenient in practice as customers can view data, make their own comments and even approve or modify deletions as needed in real time.