24 May 2018
New research by BSI, the business improvement company, has revealed that over half of European organizations have no fixed method in place for responding to Data Subject Access Requests (DSARs). The research, carried out by the Cybersecurity and Information Resilience division of BSI in preparation for the GDPR, also highlighted that a third of European businesses rate themselves as highly likely to receive a DSAR.
A DSAR is the legal mechanism which allows European citizens to obtain a full account of all personal data an organization holds on them, an explanation as to why this information is being held, and copies of this data should they wish.
DSAR and the GDPR
The GDPR, coming into effect on Friday 25 May, has greatly increased the awareness levels of citizens to their rights as data subjects, and also organizations processing or collecting personal data for EU citizens will no longer have the inhibiting factor of a charging fee (currently UK organizations may charge a fee of up to £10 or £2 if it is a request to a credit reference agency for information about financial standing only) for responding to a DSAR.
All companies will need to comply with stricter rules concerning the data protection and privacy of data subjects (citizens) within the EU under the GDPR. Failure to comply could result in fines of up to €20 million or 4 per cent of an organization’s annual global turnover.
DSAR and impact on resources
While the submission of data requests from private citizens is not a new phenomenon, the process is about to get significantly easier with the GDPR. The way in which organizations can receive a DSAR has expanded outside of the traditional postal option, or email channels, and can be received verbally in person, through a live chat portal, verbally over the phone, or even via social media channels.
The research also asked respondents what cost they would be allocating post 25 May for handling DSARs in organizations and it revealed that one in five organizations estimated a cost of up to €28,000.
Under the GDPR, organizations will now be expected to complete DSARs within one month, rather than the existing 40 day timeframe. Sources of data within an organization can include CCTV data, phone call data, web chat log data, CRM records and order history. Where a DSAR relates to an employee, it can also include all emails, any meeting minutes where the employees name is mentioned or documents or correspondence relating to any work they have done.
Commenting on the research, Stephen O’Boyle, Head of Professional Services at BSI, said the implications of DSARs could be onerous: “The resources required to undertake a DSAR can be considerable, and shouldn’t be underestimated. Organizations will be expected to wade through huge volumes of data within the reduced one month window stipulated by the GDPR.”
There is also a concern that organizations may face disruptive DSARs from disgruntled customers or ex-employees, those with a personal gripe, or someone with enough knowledge to cripple an organization with an extensive DSAR. Addressing UK organizations directly, Stephen continued: “The motive behind DSARs is not always clear but the end result may include significant costs in responding in terms of resources, and the risk of a complaint to the Information Commissioner’s Office if your handling of a request falls short. Preparation is key and organizations who have a structured plan in place and who consider additional supports to aid it, such as additional technology and staff awareness training, will reduce the risk of non-compliance in responding to a DSAR.”
The Cybersecurity and Information Resilience division of BSI provides a range of solutions to help organizations become GDPR compliant including consulting, training, research, technical solutions and outsourced Data Protection Officer (DPO) services. For more information visit https://www.bsigroup.com/en-GB/our-services/Cybersecurity-Information-Resilience/.
Notes to Editor:
Over 1,800 European respondents took part in the research including participants from Belgium, France, Germany, Ireland, Italy, Netherland, Poland, Spain and the UK.
The research was carried out as part of the BSI Cybersecurity and Information Resilience Path to GDPR compliance series which included a webinar on getting ready to respond to a DSAR.
Respondent industry sectors covered Aerospace & Defence; Chemical & Utilities; Education; Energy; Financial; Government; Healthcare; Information Technology; Insurance; Legal; Manufacturing; Retail; Telecommunications; Transportation & Distribution.