How to cope with the influx of data subject access requests.

May 26, 2020

As the lockdown begins to ease, businesses must prepare for an influx of DSARs

Some of the toughest decisions businesses have made during lockdown, have been those impacting their staff.  More than four million workers have so far been furloughed, but hundreds of thousands of jobs have still been cut, particularly in hard hit industries such as travel.  

Among the many serious impacts of the pandemic and lockdown, one that few would have predicted is a surge in Data Subject Access Requests (DSARs). We have seen a notable spike in requests as disgruntled individuals seek data to build a case for wrongful dismissal or that their employer has failed to protect them. Furloughed employees have also submitted DSARs, either to prepare for potential future action, or because they feel they were treated unfairly.

We anticipate this number will continue to increase, so businesses must deal with the requests even as their operations are hampered by the lockdown. New research commissioned by Guardum found that 75 percent of DPOs are struggling to meet data compliance obligations during the lockdown. Further, 30 percent fear being overwhelmed by a flood of DSARs once the pandemic eases, and three in five feel they do not have the resources to cope with the demand.

Lockdown challenges

The good news for firms dealing with an influx of DSARs is that they will be able to use the GDPR’s built-in protections for exceptional circumstances, and fulfil requests in 90 days rather than 30 – although they must still respond to requesters in the initial timeframe.

However, most businesses will face significant new barriers to completing requests. As with all other areas of the business, they need to have a solid remote working contingency plan; in many cases the team that handles DSARs may be operating with limited staff and resources as well.

There still needs to be a high level of co-ordination with the DPO to ensure cases are fulfilled completely and nothing is missed. We have encountered cases where requests were not completed correctly as staff did not wait for word from the DPO.

Companies that still retain a significant amount of physical assets, such as filing cabinets of personnel files, will struggle to fully comply with requests. Even digital assets may be hard to access if they include large files and individuals have poor internet bandwidth at their homes.

Looking to the future

Many businesses will have been caught out not only by the influx of DSARs caused by the lockdown, but also the practical limits on coordinating and fulfilling requests. Businesses must get to work on future proofing their operations in the event of further lockdowns, and as more requests come in.  

An important first step is to move away from paper-based files, with the ultimate aim of having digital copies of all physical assets. Although digitising everything is no small task, it will greatly improve the management of DSARs remotely, as well as data privacy and security demands in general. Remote desktops are one of the best solutions for accommodating large file sizes, as they can be located on the same server and avoid data transfer issues.

With everything digitised and accessible online, the next priority is to start implementing automation to deal with as much of the DSAR process as possible. Automated tools can take on the heavy lifting of locating files relating to a request and carrying out specific demands such as deleting information. Locating and classifying all relevant personal data on the system will make this even more efficient, as well as allowing the automatic application of actions such as data anonymisation or redaction.

With many businesses already likely to receive an influx of DSARs in coming weeks, and an unknown path ahead, taking steps to automate and future proof data management and governance as soon as possible will leave firms better equipped, whatever the future hold.