July 15, 2020

Three ingredients for successful DSAR management

By David Thomas, Privacy & Cyber Director at Millennial Risk LTD.

Following the second anniversary of GDPR, guest contributor David Thomas, privacy and cyber consultant and former DPO, shares his perspective on how process, people and technology make up the three essential ingredients for successful DSAR management.

It has been over two years since GDPR passed into law. Yet organisations continue to adapt their operations to fulfil obligations it has introduced. Firms have experienced a huge cultural shift in how privacy is addressed. One of the most visible changes has been the increasing importance of the Data Subject Access Request (DSAR).

The majority of businesses have, by now, put in place their own approaches for dealing with DSARs. In many cases processes are piecemeal and rudimentary. Systems put in place are often designed to handle a consistent influx of DSARs. They are rarely stress tested to see what happens when the number of requests suddenly increases. In present times, this is an increasing possibility as businesses are impacted by DSARs from employees who have been laid off or are in furlough during the COVID-19 lockdown. Being unable to scale up quickly to deal with a sudden spike in requests puts an organisation at risk of complaints and regulator scrutiny.

In my experience the three essential ingredients for successful DSAR management are as follows:

Process: Is it fit for purpose?

One of the challenges when planning DSAR management is that volumes can be very hard to predict. A company might receive no new requests for months, before suddenly receiving several very complex ones, all at once. DSAR strategies must therefore have breathing room built in their processes to accommodate unpredictable rises and falls in demand.

An important first step is to assess whether current DSAR process can cope with sudden changes in volume or unexpected complications. For example, in one case I encountered, a DSAR arrived in the post addressed to the privacy team. Several days were wasted before the request was forwarded on because there was no provision in place for dealing with physical DSAR correspondence. The mailroom had trouble locating the privacy team as they had limited access to intranet services. In a time-critical situation, where you have 1 month to respond, any delay is bad.

People: Collaboration is key

It is equally important to understand how people in different departments communicate and collaborate with one another. The majority of requests need involvement from the IT department, while DSARs raised by existing and current employees need the attention of HR, and potentially also the company’s legal and privacy specialists.

With so many parties involved, it is essential to have good governance in place to manage collaboration between departments. All parties must be made to appreciate the importance of DSARS. Communication is pivotal in this as well. If a DSAR begins to have an increasing legal dimension, multiple teams must adopt a restrained approach in discussing the subject matter to avoid prejudicing themselves. Training and awareness in this respect is vital.

Technology: Automate as much as you can

Alongside having the right people and processes, handling DSARs also requires the right technology. Completing DSARs can be very time-consuming unless you have the right tools. By far the most time is spent searching through systems for relevant data. This is particularly true when the request is complex, requiring access to copious amounts of data from multiple areas of the business.

Manual searches are a primary waste of resource while default operating system search tools are not designed to support the kind of targeted activity required for DSAR fulfilment. Searches involving thousands of files take ages to process. Likewise, when it comes to data redaction, some firms still edit individual documents manually using Word or Adobe. Such an ‘elbow grease and long shifts’ approach can only carry you so far.

A better approach is to consider using specialised tools that can complete searches quickly, return accurate results and automate as much of the process as possible.

In this respect, a tool like Guardum really stands out. It quickly locates the required data from different repositories and systems, automating essential, but time-consuming tasks like data redaction. With Guardum, data points in all relevant files can be redacted simultaneously. Files can even be redacted by default as soon as they are first created and saved on the system.

Guardum also neatly addresses the collaboration issue, allowing multiple parties to work together to share and edit data as needed. All activity can automatically be fed into an audit trail for examination by compliance auditors or legal professionals, reducing the need for and volume of email conversations.

In summary, successful DSAR management starts with sound procedures, good collaboration, and governance across multiple teams, underpinned by good automation tools such as Guardum. Together, these three ingredients give organisations the flexibility needed to handle even the biggest avalanche of unexpected DSARs.