March 20, 2020

The clock is ticking: getting on top of DSAR requests

Ask anyone responsible for DSARs and they will tell you their biggest challenge is responding to them in time. And no wonder. Searching through vast amounts of information sources to locate and extract the data specific to the subject, in order to respond within the statutory 30 days, is a race against the clock. Failure means having to ask for an extension or suffer the prospect of penalties imposed by the regulator. 

Find the data, wherever it is 

Once the identity of the requester and their right to the information has been verified, the search for anything relating to them begins. Often this can be like looking for a needle in a haystack as their data could be in any of the files or documents an organisation holds, both digital and physical. This could be letters, emails, application forms, subscriptions or transcripts of any telephone conversations. Also, the chances are that this is scattered in various different locations such as on-premises servers, in the cloud, or even a good old-fashioned filing cabinet. 

Then there is the fact that very few of these documents are going to be clearly mapped as containing information about the data subject. This means that information could be missed, which will not go down well with the requester (especially if they already hold the information being sought, which is a common tactic) or the regulator when they find out and can result in legal action. 

Once the data has been collected, any personal or sensitive information not connected to the data subject needs to be redacted or anonymised which, in itself, is a hugely time-consuming process if you are not using the right tools.  

Preparation is key 

Gathering all this information manually, then redacting it, takes a large amount of employee hours. In order to respond in time, some organisations throw additional manpower at the problem with one in five businesses estimating DSARs cost them up to €28,000. Also, there is the possibility that the data provided will be incomplete. 

To save time, stress and money, firms need to put in place systems that enable them to quickly find sensitive information held in both structured and unstructured formats, wherever it is located. Guardum can do this by scanning all data for personal information as soon as it hits the system, a solution that is especially effective across unstructured, difficult to process file types. This also applies to hard copies of data which, thanks to Guardum’s partner solutions, can be digitised, brought into a common environment and then searched and classified.  

With these processes in place, finding specific details about a data subject can happen automatically with the push of a few buttons. Guardum can also automatically redact any information so that this information is protected, all that is needed is a review of which data points have been extracted to confirm redaction or anonymisation is correct and then this can be sent to the requester. 

When it comes to sending the relevant information to the requester, an organisation has to include a report justifying its actions. However, many firms are not doing this and in the event of a complaint, DPOs have to go back through their files to see why they sent out the information they did.

Guardum in contrast, allows annotation notes to be created at the page, document and phrase-level to record why information was redacted or not, as well as creating reports and highlighted copies of the documents. This enables DPOs to step back into a DSAR far more quickly and efficiently than any manual processes. 

With Guardum, completing a DSAR is quick and simple, freeing up valuable time and resources. While the clock is ticking, the 30-day deadline is no longer a race against time.