Consumers are becoming increasingly aware of the data that the organizations they interact with hold about them and, quite rightly, they expect that data to be managed in a responsible way.
This awareness is leading to an increased number of Data Subject Requests (DSRs) or Data Access Security Requests (DASRs) being received from individuals. It raises the question of how prepared organizations are in dealing with these requests, which are only likely to increase as consumers become more data conscious.
A Webinar hosted by BSI in October, ‘The cost of DSRs: How to manage and anticipate data subject requests’ provided some really useful guidance and advice for organizations to sharpen up their act in how they respond.
BSI co-presenters Inés Rubio, Head of Information Management and Incident Response, and Conor Hogan, Senior Information Governance Manager, covered some of the core principles that organizations should take on board. They also highlighted some of the risks of not being properly prepared to comply with requests.
Organizations need first of all to be aware that individuals have a fundamental right of access to data held about them. Data privacy and access to data is a really strong element of data protection and privacy laws around the world, with legislation such as GDPR regulations in the UK.
Requests come under three general headings; providing someone with a copy of data held about them; deleting data; and updating or changing data, for example, to make it more accurate.
The challenge for organizations is, ‘how do I respond in a way that fulfils all of my legal (and moral) obligations without impacting negatively on my operations?’
If organizations don’t have a system in place – and one that has been stress-tested so they know it works – they face some serious risks. First of all there are the unseen and difficult-to-quantify costs of extracting data from a system not designed with that in mind.
In addition, there is the cost of finding the required data and then taking the necessary action, but also the opportunity cost for those employees taken away from their normal duties.
Inés and Conor also identified an increased number of court cases for when things go wrong – particularly in the US – and data is lost, stolen, or used incorrectly. This could be an individual or more worryingly, it could be a class action.
Facing legal challenges is potentially costly and damaging to operations, and it will inevitably damage the brand and reputation of the organization and erode trust that could have taken years to build up.
The ideal approach for organizations is to take a holistic approach to managing data, and there is no shortcut to this. In other words, you need to do your homework.
Inés and Conor identified three questions that the organization should be able to answer as a starting point; What data do we have? Where is that data held? How do we provide the data requested or carry out the action?
The more time you spend understanding your data and how to manage it, the further you will get ahead, not just in being able to respond to DRSs but it many other areas that will benefit your business, such as in information management or information security.
The problem for many organizations is that they have systems that have built up in an ad hoc way with no clear sight of how data is structured or how accessible it is. Tools exist to help retrieve data but the best solution is to implement a system that incorporates ‘privacy by design’. It helps to regard this as a continuous process as technology is continually changing and providing new and better solutions.
Responding to DSRs is not all about avoiding negative repercussions, there are some real positives to be realized from implementing a robust system; in the same way that consumers look positively on organizations that are reducing their CO2 emissions, having a reputation for handling data responsibly and providing ready access for consumers can be a real differentiator in the market.
On the commercial side it can also help win business when pitching for contracts. Increasingly organizations want to know that their suppliers take privacy and data protection seriously and they will be looking closely at your track record in order to manage their risks.
In summary, if your organization puts the effort into understanding what data you hold, where it is held and how to retrieve it, the better prepared you’ll be to deal with DSRs. This in turn will protect your organizations reputation and operations, help protect the rights of people whose data you hold and help you to manage your operational risks.
More detailed guidance on this subject can be found in ISO/IEC 27701, Security Techniques. The document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS).
Listed below are further standards which professionals responsible for managing data will also find very useful:
ISO/IEC 29190:2015 Privacy capability assessment model
BS 10012:2017+A1:2018 Data protection. Specification for a personal information management system
BS 10010:2017 Information classification, marking and handling. Specification
ISO/IEC 29134:2017 Guidelines for privacy impact assessment
ISO/IEC 29151:2017 Code of practice for personally identifiable information protection
ISO/IEC 27018:2019 Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
ISO/IEC TR 27550:2019 Privacy engineering for system life cycle processes
Protect your organizations reputation with key data protection standards
Data breaches can stem from many different aspects of an organization’s operations, including employee error, network vulnerabilities, and infrastructure failures. With businesses more reliant on data, the demand for protection has never been so high. Standards can help safeguard intellectual property, data, and protect valuable IT infrastructure. Discover the standards needed for data protection.
Protect your reputation with key data protection standards, find out how you can access all the key data protection standards with British Standards Online Library (BSOL). Build your own collection of standards to protect customer data, reduce complexity, and improve outcomes.
Get in touch today and stay in control of your business with a data protection strategy in place.