Privacy, as a topic, is quite en vogue right now. Regulations like the EU’s General Data Protection Regulation (GDPR) and the U.S.’s California Consumer Privacy Act (CCPA) have done a number on organisations already—and the CCPA just launched a month and a half ago!
The cornerstone of these regulations—and therefore, the source of many of the struggles and challenges that companies face—are individual requests for access to the information that a business or organisation has on them. Recently, London-based pharmacy Doorstep Dispensaree became the first UK organisation to be penalised for failing to comply with the GDPR. Among their violations was a lack of information provided to the Data Subjects (violating Articles 13 and 14), resulting in a fine of £275,000.
What is a DSAR (Data Subject Access Request)?
A key feature of privacy regulations is that they allow individuals to see what personal information of theirs that organisations have stored. These requests, known as Data Subject Access Requests (DSAR), require an organisation with data on an individual to produce that information and allow for remediation, usually in the form of deletion.
In the EU, many companies are still playing catchup with the GDPR. They’re aware that they must do something to avoid heavy regulatory fines when it comes to DSARs (up to e20 million or 4% of annual global turnover) but they don’t have a full data inventory or a set process to fulfill DSARs, and therefore no prescribed workflow. Companies in the U.S. still have a little time before regulators start enforcing the CCPA in earnest—but they have to get moving on building up a proper data inventory if they want to accurately fulfill a DSAR. Without a data inventory, it is practically impossible to comply with privacy laws.
After your data inventory has been established, there are steps to completing each request, which we’ve laid out below.
Step 1 – Identifying the data subject’s identity
- How is the individual making the request?
- How do you verify that it’s actually that person making the request?
- How can you automate the process as much as possible?
Organisations need to ensure that each request is genuine, or they open themselves up to more trouble. There are a number of ways to authenticate an individual’s identity—via verification of an individual’s personally identifiable information (PII). This can be security measures that the individual filled out when they created a profile with your company, a piece of government identity, or through information that is specific to your organisation (such as verification of banking or financial institution information).
Step 2 – Confirm the type of request and route it to the relevant person(s)
In order to route the request to the correct department or individual, you must know what information is being requested. If it isn’t a clear request, be sure to confirm the request with the individual. Then, based on the type of request it is, route the request to the correct team in the organisation. That could be a DSAR-specific team, or an individual within a department that handles requests.
Step 3 – Gather the necessary information
- Is your data inventory up-to-date?
- How will collection from all enterprise data sources occur?
If the organisation’s data inventory is up to date, and the DSAR team has a platform with the capability to pull data from all of your organisation’s inter-connected sources (like Office 365 and Gmail, for instance), this could be a fairly simple exercise. Without a central repository or software that can pull data from disparate sources, the DSAR team or individual in charge will typically make the request for information to IT, which takes time and manpower to search for and fulfill the data request.
Step 4 – Review and package the data
- How will you redact documents with PII?
- Does the process harmonise with regulatory obligations and legal holds when remediating data?
- Do you have the capability to format the data as they request?
Without review technology to help, this is perhaps the most onerous task. Once the data has been collected, it needs to be reviewed to ensure that the organisation is returning the correctly requested information, as well as blocking privileged or company-sensitive information that may be part of the request.
Step 5 – Add extra information
This is a good way to protect your organisation’s interests: supplying information that proves that all of the information that was requested has been delivered. That way, should litigation occur, there’s provable documentation that states all of a subject’s information was delivered. Having documentation on your data inventory can also help with that.
Step 6 – Send the package to the data subject
- Can you fulfill these requests securely?
- How will you notify the data subject?
- Keep a processing for closing the ROIR/DSAR
Once the documents have been reviewed and exported, they should automatically be made available to the data subject by the organisation, website, or online portal in an easy but secure way. If the data package is to be sent to the subject, it should be encrypted or secured. Then, you’ll want a process to close out the DSAR and notify your internal teams that the request has been completed.
By the way—we wrote a whole guide about this. If you've got more questions about how to create an effective DSAR response process, read our full guide by clicking the banner below.