Getting ready to deal with Data Subject Access Requests

So the General Data Protection Regulation (GDPR) is right around the corner and while the increased fines are getting the majority of the attention (up to €20 million euro or 4% annual worldwide turnover) something that has escaped a lot of people’s attention is the potential business impact an influx of Data Subject Access Requests (DSARs) will have on their organization.

Yes, it's true that DSARs are not a "new" right that has been given to EU citizens and as such, why should organizations really care? What is likely to change from the current types of requests that are being submitted (or not, as the case might be)?


How about the removal of the nominal fees that can currently be claimed by organizations? In the Republic of Ireland for example, an organization is entitled to request a payment of €6.35 to process such a request on behalf of an individual. While this may not seem like a deterrent, you'd probably be surprised at the drop off rate of such requests when faced with a response letter stating that the fee is required to process the request. The reason for this is that you generally cannot pay this by the most common cash or debit/credit card transactions as such the data subject will need to find an alternative payment method e.g. cheque. Sometimes the hassle of doing this is enough to deter even the most privacy conscious data subject.

Taking these points into account, we have compiled a list of tips that organizations can look to implement now to ensure that you are in a reasonable position to deal with the potential influx of these requests once the GDPR becomes enforceable on 25th May 2018.


Know your data and what constitutes personal data

Know your dataData protection in this context does not relate to all types of data you retain. It is specifically concerned with data that relates to a living individual that could allow that individual to be identified from it either in its original form or along with other information that is likely to come into the retaining organization’s possession. As you can imagine, this type of information will include, but is not limited to the following:

  • Name
  • Address
  • Date of birth
  • Height... 

On top of this, there is also data which is classified as sensitive personal data. This type of data requires extra levels of consent from the data subjects from whom you have collected it and should be given extra levels of protection. This type of data will include, but not necessarily be limited to the following:

  • Sexual orientation
  • Health records
  • Religious beliefs
  • Trade Union membership 

In order to ensure that you have an effective, defensible and efficient process you would need to look at the following as these steps will equip your organization to respond to DSARs:

  1. Sitting down with relevant business units in your organization, mapping out data flows from business processes and building information registers
  2. Establishing repeatable processes to identify, filter and redact data
  3. Considering the implementation of software or automation solutions to support you with the identification, filtering and redacting of the data as required to fulfil the DSAR requests

If you do not know how effective your current process is, you would do well to arrange a table top exercise with the relevant stakeholders in the organization to see how it would work in practice.

 

Time is of the essence

time is of the essenceOrganizations currently have 40 days to comply with a DSAR. This means that from the moment you receive the request the clock starts ticking. Under the GDPR, this time period will be reduced to 30 days leaving organizations very little room for maneuver when it comes to collecting, reviewing, redacting (if necessary) and returning the information to the data subject. If you have never had to complete a DSAR before, a simulation exercise would be beneficial in determining the maturity of your existing processes and how long it is likely to take your organization to respond to such a request (and also determine the potential strain that this will cause to the normal day to day operations of your business).

Don’t be afraid to ask for more information

Don’t forget, you can also get into trouble with the supervisory authority if you respond to a DSAR without appropriately identifying the data subject in question. Remember, you do not have to comply with the DSAR until you have received the information that allows you to validate the data subject. This may include valid photograph identification and proof of address.

 

The DSAR should not affect the rights and freedoms of other individuals

While it is the law that you must reply to a DSAR giving the subject access to their data, you must not affect the rights and freedoms of other individuals by responding to the request (unless of course you have been given consent from the affected individuals to do so). In most circumstances, this may mean redacting information relating to persons outside of the original requester. How this is completed needs to be considered by your organization. Will software be used for the process, or can you afford to have someone sitting at a desk reading through the extracted documentation redacting as needed with a black marker?

Keep records

Our final tip is to keep contemporaneous records of what searches you have completed. This will make it easier if you need to answer follow up queries from the data subject and will give your organization a defensible position in the event that a complaint is ever made to the supervisory authority. Having such records will leave very little room for external criticism of your process and procedures.

While the above advice is a good starting point, we have really just scraped the surface when it comes to dealing with DSARs and implementing effective policies and procedures. Ultimately, every organization will be different and the common blueprint will need to be tailored to suit the needs of an individual organization. With 2018 almost upon us, perhaps it’s time you considered how to implement your own blueprint.