Dealing with a Data Subject Access Request
Data Subject Access Requests (DSARs) enable individuals to request what information is being held about them from an employer. Since their introduction, as part of the Data Protection Act 1998, there has been a significant increase in the amount of electronic data being processed and held by employers. Add to that the reduction in the time firms have to respond to a request, implemented as part of General Data Protection Regulation (GDPR) in May 2018, and ensuring compliance is no small task. In this Q&A, Matt Smith, CEO of SteelEye, discusses DSAR and outlines how firms can comply smarter.
What is a DSAR and how can it affect firms?
DSAR allows employees (or former employees) to request all, or some, of the data held on them as individuals, and can be made in a written or verbal format or even via social media. This includes data held in emails, employee records, or anything else that enables an individual to be identified.
Once a request has been submitted, an organisation has thirty days to collect and present all the data, reduced from forty days when GDPR was implemented.
Given the quantity of data involved, the impact of receiving a DSAR should not be underestimated. It necessitates considerable knowledge of GDPR and an understanding of how to present the data in order to comply.
What are the challenges facing firms in the case of a DSAR?
The right to access personal data is not new, but GDPR has ushered in a new age of ownership for employees in respect to the data their employers hold. This data can be requested at any time, and while it is an important aspect of a person’s rights under GDPR, it puts an enormous burden on companies having to respond.
A Talend report in September 2018 found that 70% of businesses are unable to comply with DSARs within this timeframe, indicating how potentially insurmountable these requests can be, even for a properly resourced compliance team.
The parameters of a DSAR include any communications pertaining to that employee even if not addressed to him/her, how the personal data is being used, and for how long the data is being retained. Given the time sensitive nature of these requests, and evidence stating that the average employee sends and receives 620 emails a week, appropriate measures must be in place to stop compliance teams and data protection officers being overwhelmed by this seemingly innocuous task.
Once this process has been completed the information must be presented in a coherent and easily digestible format. The laborious nature of this process can result in significant cost to any business, such as one case recently that required sifting through half a million emails, costing the firm over £100,000.
Is there any way around it?
There are certain stipulations that companies can take advantage of, as well preparations they can make. Under GDPR an employer can extend the deadline for a DSAR response by two months if the request is deemed ‘complex’ or numerous. There is also scope for refusing a DSAR request if an employee is clearly engaging in vexatious litigations or generating requests for the sole purpose of disrupting a business. While this is extreme, any organisation must know their rights to refusal.
What is the best way of dealing with a DSAR?
Since Subject Access Requests (SARs) were introduced, technology has become more readily available to minimise their impact, especially now that GDPR requires proper management of employees’ data. Previously, experts have grappled with the best way to pre-empt and manage requests, either online documentation, or through basic training to allow for a more efficient process.
Fortunately, technologies associated with trade and communications surveillance have made DSARs much easier to manage. The ability to track data using machine learning has made it possible to streamline the process. It is a company’s responsibility to incorporate the appropriate regulatory apparatus that not only allows them to comply with their international obligations, but also their individual ones, capitalising on the power of modern software.
The DSAR is an integral part of modern data ownership but the process and costs associated with compliance can be detrimental to a business. Knowing the boundaries to which requests can be pushed, as well as utilising effective technology is the only way to avoid the pitfalls of a DSAR.