The Data Subject Access Request (DSAR) has become synonymous with protecting individuals’ data privacy rights from misuse by public administrators and private enterprise. At the same time there’s no denying that responding to requests within the mandated 30 days costs organisations a great deal of time and money. For many, the sheer complexity of requests, combined with a lack of adequate systems in place, necessitates an extension to the deadline, which equates to a corresponding increase in resources.
This is being compounded by the fact that the public are becoming more savvy about their rights to request any personal data held about them, including information held by employers. Around three-quarters of EU firms (71 percent) have received DSARs from their staff since the introduction of GDPR.
To help reduce the amount of resources they spend on DSARs, organisations need to set up mechanisms that enable them to quickly and accurately find all the data concerning any individual wherever it is held.
The ticking clock
An individual’s right to have access to their personal data and their right to have it removed can present major challenges for businesses. Put simply, no two requests are the same. For this reason, businesses have no way of anticipating what an individual will request, or how broad its scope, or how much detail it requires. One request, for instance, may simply ask for a blanket deletion of data. The next one could just as easily ask to see all the emails, text messages, Microsoft Teams conversations about them for a specific period.
To fulfil the request a data protection officer or administrator must find every single piece of information about that person in accordance with the parameters specified in the request. It makes no difference if the information resides as structured or unstructured data. Manually searching for this information may mean logging onto various central systems and/or looking through paperwork as well as having to ask individual employees if they have digital or physical records of anything mentioning the requestor. That data then needs to be organised and redacted or shared as required, all of which takes a huge amount of time and effort.
Further, if anything is missed and the subject realises, they can lodge a complaint. They can likewise complain if the tight calendar month deadline is missed without an extension agreement in place.
The financial cost
Given that some larger businesses can receive up to 500 DSARs a month, there is a huge potential financial cost in having to respond to them. Research shows that UK businesses spend, on average, £1.59 Million and 14 person years annually processing DSARs. Much of this cost can be attributed to having to gather, collate and redact information manually.
Some of these costs are simply the personnel needed to complete requests. For instance, a DPO has an average salary of around £50,000 a year, and they might be supported by two assistants in the commercial sector, and 10 or more assistants in the public sector. Other costs will come from having to seek legal help, with some businesses outsourcing more complex DSARs to legal firms at around £23,000 per request. There could also be litigation costs and fines for non-compliance.
The human cost
Alongside the raw financial costs, there is also the human cost to consider. DPOs are under a huge amount of pressure to respond to DSARs in time. On average they might have to deal with some 50 emails per DSAR all with varying types of attachment and all needing redaction of PII concerning other parties. And then there is always the worry that something has been overlooked.
Adding to this stress is the lack of strategic concern regarding DSARs from the C-suite. This often means that data protection officers are rarely at the top table and struggle to have a dedicated budget to manage their workload. Research from the Data Protection Network reveals that more than half of DPOs feel under significant pressure, while a third feel they have not been given sufficient resources to support their role.
They fight a lonely battle to gain awareness and influence to manage the issue effectively. Unsurprisingly, DPOs often feel like that they are behind the curve, running to catch up, and struggling to meet deadlines. For them, the clock is always ticking, and they are always behind.
How automation can help
When thinking about being able to respond quickly and accurately to DSARs, the old adage is true: failure to prepare means preparing to fail. Businesses need systems and processes that let them act upon DSARs as soon as they are received. One of the most important steps is to implement automated tools to collect and collate structured and unstructured data from around the organisation to make it readily accessible to the DPO when working on a DSAR.
Organisations that still have a significant volume of physical assets such as paper files must first scan them into the system. At least it only needs to be done once. Any new piece of information that subsequently enters the system will be categorised automatically, saving resources in the long run and ensuring the data catalogue is always up to date.
Done well, automating the process saves a great deal of time and manpower. DPO’s can suddenly access everything they need in minutes that, until recently, would have taken weeks. Further, automation can also help to redact any data that is not pertinent to the DSAR.
With the proper use of automation, firms can respond to DSARS quickly and accurately while dramatically reducing the financial and human costs to their business.
By Darren Wray, Co-Founder and CTO at Guardum
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.