This article originally appeared in The Legal Technologist November/December 2023 Issue here.
Learn more about The Legal Technologist on their website https://www.legaltechnologist.co.uk
As individuals, we have the legal right to access personal data held by an organisation, and an increasing number of requests are submitted each year. Recently, politician Nigel Farage and Caroline Green famously and publicly spoke of their own DSAR requests thrusting DSARs back into the spotlight.
Consequently, organisations (particularly financial institutions), are bracing for an onslaught of customer DSAR requests.
What is a DSAR?
The 1998 Data Protection Act introduced the concept of individuals in the UK having a right of access to personal data held by their employers or other organisations. In May 2018, the General Data Protection Regulations (GDPR) legislation came into force, making the DSAR process easier and more accessible for individuals. The ability to access your personal information is empowering and is an essential tool in our data driven society. Conversely, it is a costly disrupting exercise for organisations, particularly when it is weaponised as an act of defiance or retaliation. The deadline for response is only one calendar month following receipt (extensions are possible under limited circumstances).
How can organisations ease the burden of processing DSARs whilst also ensuring individual rights are upheld within the necessary timeline?
Effective Data Governance
There is more to GDPR than just DSARs. The GDPR drives accountability for the way in which organisations control and process personal data. If an organisation doesn’t have robust policies/ procedures, they risk fines and penalties for violation. Effective data governance is critical.
To establish a strong data governance policy, organisations need to understand:
• What data is collected?
• Who does it belong to?
• Why was it collected?
• How/where is it stored?
• Who has access to it?
• How is it shared/used?
• How long is it being retained and is it purged when retention is no longer required?
Maintaining compliance requires an ongoing process of monitoring business practices. Policies and controls must be regularly assessed. Key documents such as staff and public privacy notices must be accurate. Continuing compliance activities may include conducting impact assessments for new systems, reassessing security procedures, and analysing new and existing contracts and agreements to ensure that data processing meets the requirements of GDPR.
Having a data governance policy in place and being fully GDPR complaint is critical. But what happens when those dreaded DSARs come through the door?
DSAR Process and Procedure
If you don’t have a clear and documented DSAR process, you need to design one as a priority! Your DSAR procedures should be governed by a process document or playbook.
It should clearly map out who is part of the response team and the tasks they are responsible for, along with timelines. Your DSAR team may include external advisors such as lawyers, eDiscovery companies and/or document review expert service providers. If so, include their contact and process details.
If you organisation expects both employee and customer DSARs, make sure your playbook accounts for that as the process will differ.
For example, customer data may be more structured and templated in nature, but employee data will include information from multiple sources across the organisation in numerous formats (email, HR files, financial etc.) This means there will be differences with respect to collecting, processing and reviewing the data.
What stages should I include in my DSARs process?
Stage 1: Acknowledge and Validate
- Acknowledge receipt and confirm the timeline
- Ask questions if needed to fully understand the scope and avoid time wasted down the line
- Validate the identity of the requester. Disclosing personal data to the wrong person comes with serious and costly consequences!
Stage 2: Collect and Process the Data
Don’t make assumptions, ensure you conduct a thorough check of all systems and servers. Depending on volume, technology tools can be utilised to effectively cull the data, saving time at the next stage. If an eDiscovery provider is engaged, they will advise on analytics and use of Al. For example, deduplication, email threading and the application of search terms (variations of the requesters name for example) will all be beneficial.
Stage 3: Review and Redact the Data
Review the data to ensure it is responsive to the request, that no exemptions apply and redact personal data that is not that of the requestor. This step can take time and is costly to an organisation as generally there is a lack of capacity to take on a full review and redaction exercise.
Many organisations elect to use a specialist document review services company for this phase. In doing so, the organisation gains not only a cost and time saving but benefits from project management skills and subject matter expertise, both help to significantly reduce the burden.
Input from internal or external legal advisors is crucial.
Exemptions to disclosing personal data exist within the GDPR but the application of those exemptions can be complex. Once the data has been fully reviewed and redacted, the next step is to share the data with the requester.
Other Best Practices
What else can an organisation do to ease the burden?
Record Keeping and Communication
Keeping a record of all communications and actions undertaken for each DSAR processed is key.
Good record keeping provides the organisation with evidence of compliance with both internal processes and legal requirements. Also, keep the channel of communication with the requester open. Providing
clear and timely updates on progress is good practice and can save you unnecessary headaches.
Lessons Learned and Continuous Improvement GDPR compliance requires ongoing monitoring, assessment and updating. This practice should also apply to your DSAR process and playbook. If there are lessons learned along the way, ensure your playbook takes these into account and is updated.
Education and Training
Finally, there is no point in having robust data governance policies and a watertight DSAR process if both are not bolstered with training and education. At a minimum, training should take place during onboarding with regular refreshers thereafter.
This is central to reducing risk and alleviating the burden whilst also upholding the legal rights of all individuals who interact with your organisation.