The process of fulfilling the Data Subject Access Request (DSAR) is quite complicated. It involves verifying requestor identity, searching personal information from the massive data sets and tying that information back to the individual who requested it in a secure and timely manner. Keeping all this in mind, if your company receives a DSAR, it can become stressful, time-consuming and costly to fulfill the request.
When it came into force in May 2018, the EU’s GDPR was hailed as giving individuals greater control of their data. As such, Subject Access Requests (SARs) were updated to become Data Subject Access Requests (DSARs), with new requirements designed to make it easier for individuals to access information that organisations held about them; organisations could no longer charge a fee for DSARs and responses would have to be made within 30 days instead of 40 days. Unfortunately, it has been shown that some organisations are woefully underprepared for the number of requests they have received and are struggling to respond within the legislated timeframe.
Failure to comply with a DSAR requirement can result in action being taken by the Information Commissioner’s Office (ICO), which could ultimately land them with a hefty fine; this could be up to 4 per cent of annual global turnover or €20,000,000, whichever is higher.
Since the introduction of the GDPR Policy Template, individuals have the right to request access to all the information an organisation holds on them: “without undue delay and in any event within one month of receipt of the request”.
Without the right processes in place, organisations will likely fail to respond in the time limit required by the GDPR. This is particularly telling when organisations receive hundreds or even thousands of requests for information. Take, for instance, London’s Metropolitan Police Force. In June, the ICO handed the Met an enforcement order for having more than 1,100 open requests, with 680 being over three months old.
There are a number of challenges that such requests present to organisations. Firstly, information could be contained within hundreds of different documents that an organisation holds, including emails between the individual and the company, forms they have filled in, comments they have made, applications, transactions and so on.
Secondly, as a information security policy for small business grows the likelihood is that its IT infrastructure and data storage will also grow. The result is that the relevant information could be spread over on-premises servers, servers in the cloud, and employees’ personal devices.
The key to coping with DSARs is to be ready to respond to them before they come in. If you haven’t got the right mechanisms in place when you receive a DSAR, the chances are that you will miss something.
One of the most significant steps an organisation can take to streamline the process, is ensuring that all data in its network is mapped. This means creating an index of all your data, both structured and unstructured, to help find those files containing data protection impact assessment identifiers. This information can be held in any file type including word documents, spreadsheets, notepad files, XML files and even zip files. In regard to data subject identifiers, a search needs to be able to flag those patterns and regular expressions (regexes) that apply to GDPR Training across the 28 member states such as national identification numbers, passport number, personal ID number, VAT number and so on.
A data subject request involves the data subject sending a formatted message to the data controller and asking them to take some action regarding the data subject’s personal data. These actions can include transferring, correcting or erasing data points.
The data subject request (DSR) is ostensibly different from the data subject access request (DSAR) which is where a data subject asks to access their own personal data as it is held by a third party. By contrast, the data subject request actually requests some action on the part of the data Protection impact assessment.