Even though Data Subject Access Requests (DSARs) were a right before the enforcement of the GDPR they have gotten a lot of attention since May 2018.
They have become more prominent and easier to submit, which is causing some organizations unnecessary heartache. But how do you avoid using an excessive amount of internal resources to respond to these requests?
DSARs are a simple concept and a consumer or an employee should be able to know what personal data an organization holds about them. With the requirements of the GDPR, organizations should know where their data is stored and what this contains.
Has your organization struggled to respond to a DSAR?
It should be reasonably “simple” to search for Personal Identifiable Information (PII) and submit it to the subject. However, reality is always a little more complex than theory. Here are some of the reasons why that might be:
- Organizations sometimes use the same files such as Excel spreadsheets to store PII related to multiple individuals. This is particularly common with data related to employees. Any sensitive data related to other people will need to be removed or redacted from the documents which is a slow and intensive process if done manually.
- Organizations may know where their data is but may not always have the right tools in place to easily access, search and export the data in scope for the DSAR.
- If an organization doesn’t have the right tools in place it can often be too late to source and implement one when a request is received. The timeframe to respond to a DSAR is within one month of receipt.
- If a large amount of human resources is needed to respond to a DSAR it can consume their day to day operations. Potentially increasing the risk of sensitive data being shared as things are done in a panic with no processes or best practices in place and no formal quality checking mechanism.
How can organizations respond to DSARs without consuming all their internal resources?
Preparation is key and a DSAR should not be a heavy burden for organizations that are ready and aware of what steps must be taken to respond to such a request and what tools will assist them in doing so. Having the following ready will help you respond in an efficient manner:
- Adequately map data flows to understand where the data is stored and what the scope is;
- Robust processing and searching capabilities;
- Automated redaction capabilities to reduce the amount of manual work to remove additional sensitive data related to individuals other than the requestor.
BSI CSIR offers a managed DSAR automation service to respond in the most efficient way by using the best technology to an organizations’ advantage. This is a tailored process and workflow whereby the end user’s focus and efforts will be primarily at Quality Control (QC) stage, instead of worrying about the process of searching, manually checking and redacting every document and wasting time on the false positives that come up. The figure below represents a typical workflow sequence in responding to a DSAR:
With BSI CSIR’s support your organization will have known processes and procedures to respond to a DSAR which are tailored to your organization’s working methods and data flows. The use of a centralized cloud application for searching, review, analysis and automated redaction will facilitate the process, especially for organizations who have migrated or are migrating to Office 365.
DSARs are a simple concept and responding to them shouldn’t be a nightmare. Our experts are here to make sure that this process is as smooth as possible and that you gain maximum benefits. Contact us now to discuss how we can support you with DSARs.