Know your data and what constitutes personal data
Data protection in this context does not relate to all types of data you retain. It is specifically concerned with data that relates to a living individual that could allow that individual to be identified from it either in its original form or along with other information that is likely to come into the retaining organization’s possession. As you can imagine, this type of information will include, but is not limited to the following:
- Date of birth
On top of this, there is also data which is classified as sensitive personal data. This type of data requires extra levels of consent from the data subjects from whom you have collected it and should be given extra levels of protection. This type of data will include, but not necessarily be limited to the following:
- Sexual orientation
- Health records
- Religious beliefs
- Trade Union membership
In order to ensure that you have an effective, defensible and efficient process you would need to look at the following as these steps will equip your organization to respond to DSARs:
- Sitting down with relevant business units in your organization, mapping out data flows from business processes and building information registers
- Establishing repeatable processes to identify, filter and redact data
- Considering the implementation of software or automation solutions to support you with the identification, filtering and redacting of the data as required to fulfil the DSAR requests
If you do not know how effective your current process is, you would do well to arrange a table top exercise with the relevant stakeholders in the organization to see how it would work in practice.
Time is of the essence
Organizations currently have 40 days to comply with a DSAR. This means that from the moment you receive the request the clock starts ticking. Under the GDPR, this time period will be reduced to 30 days leaving organizations very little room for maneuver when it comes to collecting, reviewing, redacting (if necessary) and returning the information to the data subject. If you have never had to complete a DSAR before, a simulation exercise would be beneficial in determining the maturity of your existing processes and how long it is likely to take your organization to respond to such a request (and also determine the potential strain that this will cause to the normal day to day operations of your business).
Don’t be afraid to ask for more information
Don’t forget, you can also get into trouble with the supervisory authority if you respond to a DSAR without appropriately identifying the data subject in question. Remember, you do not have to comply with the DSAR until you have received the information that allows you to validate the data subject. This may include valid photograph identification and proof of address.
The DSAR should not affect the rights and freedoms of other individuals
While it is the law that you must reply to a DSAR giving the subject access to their data, you must not affect the rights and freedoms of other individuals by responding to the request (unless of course you have been given consent from the affected individuals to do so). In most circumstances, this may mean redacting information relating to persons outside of the original requester. How this is completed needs to be considered by your organization. Will software be used for the process, or can you afford to have someone sitting at a desk reading through the extracted documentation redacting as needed with a black marker?
Our final tip is to keep contemporaneous records of what searches you have completed. This will make it easier if you need to answer follow up queries from the data subject and will give your organization a defensible position in the event that a complaint is ever made to the supervisory authority. Having such records will leave very little room for external criticism of your process and procedures.