The rise and rise of Data Subject Access Requests (DSARs)

When General Data Protection Regulation (GDPR) came into force just over two years ago, it was hailed as giving people far greater control of their personal data.

Data Subject Access Requests (DSARs) give individuals the opportunity to request access to all the information an organisation holds on them, within 30 days of receipt of the request. People have become increasingly 'data aware' amidst concerns over who is using our personal data, and why. It is perhaps unsurprising that the number of DSARs is on the rise: the Information Commissioner's Office (ICO) reports that data protection complaints from the British public have gone up: 41,000 since May 2018, compared with 21,000 for the preceding year, and over a third (38%) relate to DSARs.

This raises the stakes significantly for data privacy compliance, with corporations facing additional responsibilities and costs. DSARs are time-consuming to manage and despite the impact of COVID-19, the 30-day legislated timeframe remains unchanged.

As DSARs are often used tactically, both prior to and alongside the litigation process, some have predicted a further spike of DSARs in the UK when the Government's furlough scheme comes to an end in October. As furloughed employees return to work and face the prospect of possible redundancy, they may seek to understand the reasons why they have been selected for redundancy by submitting a DSAR to their employer.

With many companies already struggling to adhere to data compliance obligations, this will undoubtedly increase the pressure. Failure to comply with a DSAR requirement can result in significant fines from the relevant authorities, which could be as much as 4% of the company's annual global turnover.

Common pitfalls surrounding DSARs

Given that an organisation must now respond to a DSAR within 30 days, it is imperative for organisations to be able to find and collate personal data quickly and accurately as well as create and deploy a DSARs process that is defensible, efficient and secure. The problems often start with an inability to access the data, which is held in multiple locations across the business. Most companies do not have a process in place for responding to DSARs and attempt to manually organize and respond to requests that are not precise, not recorded as part of the process and have no reporting, before finally releasing non-responsive and confidential data.

Some of these complicated sources include hard copy personnel records, emails between the individual and the company, forms they've completed and comments they have made. The growth of new 'unstructured data' sources, the increasing use of collaborative enterprise networks, and an ever-evolving IT infrastructure with on-site and cloud-based servers, add an additional layer of complexity. Many organisations are also holding onto more information about an individual than is necessary because of weak retention policies, leading to a potential scenario whereby companies waste valuable time - and money - sifting through irrelevant material.

Finding all the personal data about an individual, then responding by sending them their data, deleting it, or both - all within 30 days - is fraught with risk at every stage of the process.To date the technology process for a DSARs request has historically fallen to the basic litigation discovery processes (collecting data, processing and review) at a high expense.

Managing DSARs more effectively

We understand where the challenges lie, and the data governance team at FRA has developed bespoke AI technology solutions, which enable companies to better understand their data assets in a way that is unique to them. These AI solutions allow for speed, accuracy, efficiency and the move from traditional bulk data collections, processing and review. FRA is able to assess a company's needs by reviewing data retention policies, employee agreements and data sources to create and deploy a customized DSARs process.

One of those products is 4iG, an AI-based, patented information governance platform that connects with various enterprise data sources, mines the data and pulls/creates valuable information and electronic story board reporting.

These types of reporting are unique to the industry because of the detailed insights into people, places, events, concepts as well as sensitive information that is prevalent within an enterprise - allowing business users to effectively implement data governance strategies. Compared to a manual or traditional linear review of documents, we now have products that have significantly enhanced efficiency and speed. As well as dramatic time and cost savings, one of the key benefits is risk mitigation. 4iG automatically redacts any Personally Identifiable Information (PII) or other search terms in the collection of data, in native format, from its source, before the data is exported. This first kind of capability is transformational for organisations to operationalise compliance with GDPR as well as other data privacy and compliance regulations.